From 7b6cb4f9747a86f556d70e2ee20c7afc0c828742 Mon Sep 17 00:00:00 2001
From: Knut Sveidqvist <knsv@sveido.com>
Date: Thu, 1 Jun 2023 16:30:57 +0200
Subject: [PATCH 1/2] #4446 Updating the cleanup criteria

---
 cypress/helpers/util.js                |  2 +-
 cypress/integration/other/ghsa.spec.js |  9 ++-
 cypress/platform/xss23-css.html        | 85 ++++++++++++++++++++++++++
 packages/mermaid/src/mermaidAPI.ts     |  2 +-
 4 files changed, 95 insertions(+), 3 deletions(-)
 create mode 100644 cypress/platform/xss23-css.html

diff --git a/cypress/helpers/util.js b/cypress/helpers/util.js
index 7ec960b97b..4d13b35901 100644
--- a/cypress/helpers/util.js
+++ b/cypress/helpers/util.js
@@ -60,7 +60,7 @@ export const renderGraph = (graphStr, options, api) => {
   openURLAndVerifyRendering(url, options);
 };
 
-const openURLAndVerifyRendering = (url, options, validation = undefined) => {
+export const openURLAndVerifyRendering = (url, options, validation = undefined) => {
   const useAppli = Cypress.env('useAppli');
   const name = (options.name || cy.state('runnable').fullTitle()).replace(/\s+/g, '-');
 
diff --git a/cypress/integration/other/ghsa.spec.js b/cypress/integration/other/ghsa.spec.js
index 8f28d9f53d..912f357280 100644
--- a/cypress/integration/other/ghsa.spec.js
+++ b/cypress/integration/other/ghsa.spec.js
@@ -1,4 +1,4 @@
-import { urlSnapshotTest } from '../../helpers/util.js';
+import { urlSnapshotTest, openURLAndVerifyRendering } from '../../helpers/util.js';
 
 describe('CSS injections', () => {
   it('should not allow CSS injections outside of the diagram', () => {
@@ -13,4 +13,11 @@ describe('CSS injections', () => {
       flowchart: { htmlLabels: false },
     });
   });
+  it('should not allow manipulating styletags using arrowheads', () => {
+    openURLAndVerifyRendering('http://localhost:9000/xss23-css.html', {
+      logLevel: 1,
+      arrowMarkerAbsolute: false,
+      flowchart: { htmlLabels: true },
+    });
+  });
 });
diff --git a/cypress/platform/xss23-css.html b/cypress/platform/xss23-css.html
new file mode 100644
index 0000000000..cc5b6f0bf7
--- /dev/null
+++ b/cypress/platform/xss23-css.html
@@ -0,0 +1,85 @@
+<html>
+  <head>
+    <link href="https://fonts.googleapis.com/css?family=Montserrat&display=swap" rel="stylesheet" />
+    <link href="https://unpkg.com/tailwindcss@^1.0/dist/tailwind.min.css" rel="stylesheet" />
+    <link
+      rel="stylesheet"
+      href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"
+    />
+    <link
+      href="https://fonts.googleapis.com/css?family=Noto+Sans+SC&display=swap"
+      rel="stylesheet"
+    />
+    <style>
+      body {
+        /* background: rgb(221, 208, 208); */
+        /* background:#333; */
+        font-family: 'Arial';
+        /* font-size: 18px !important; */
+      }
+      h1 {
+        color: grey;
+      }
+      .mermaid2 {
+        display: none;
+      }
+      .mermaid svg {
+        /* font-size: 18px !important; */
+      }
+      .malware {
+        position: fixed;
+        bottom: 0;
+        left: 0;
+        right: 0;
+        height: 150px;
+        background: red;
+        color: black;
+        display: flex;
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        font-family: monospace;
+        font-size: 72px;
+      }
+    </style>
+  </head>
+  <body>
+    <div>Security check</div>
+    <div class="flex">
+      <div id="diagram" class="mermaid"></div>
+      <div id="graph-div"></div>
+      <div id="res" class=""></div>
+    </div>
+    <script type="module">
+      import mermaid from './mermaid.esm.mjs';
+      mermaid.parseError = function (err, hash) {
+        // console.error('Mermaid error: ', err);
+      };
+      mermaid.initialize({
+        theme: 'base',
+        startOnLoad: false,
+        flowcharts: { htmlLabels: true },
+      });
+      function callback() {
+        alert('It worked');
+      }
+      function xssAttack() {
+        const div = document.createElement('div');
+        div.id = 'the-malware';
+        div.className = 'malware';
+        div.innerHTML = 'XSS Succeeded';
+        document.getElementsByTagName('body')[0].appendChild(div);
+        throw new Error('XSS Succeeded');
+      }
+
+      let diagram = `graph TD
+A[["a marker-end=#quot;url(<s title='#<style>*{background:red}</style>'>b"]]
+`;
+      const el = document.querySelector('#graph-div');
+      console.log(diagram);
+      const { svg } = await mermaid.render('graph-div', diagram);
+      document.querySelector('#res').innerHTML = svg;
+      window.rendered = true;
+    </script>
+  </body>
+</html>
diff --git a/packages/mermaid/src/mermaidAPI.ts b/packages/mermaid/src/mermaidAPI.ts
index e964076387..8e7f4d4b18 100644
--- a/packages/mermaid/src/mermaidAPI.ts
+++ b/packages/mermaid/src/mermaidAPI.ts
@@ -263,7 +263,7 @@ export const cleanUpSvgCode = (
 
   // Replace marker-end urls with just the # anchor (remove the preceding part of the URL)
   if (!useArrowMarkerUrls && !inSandboxMode) {
-    cleanedUpSvg = cleanedUpSvg.replace(/marker-end="url\(.*?#/g, 'marker-end="url(#');
+    cleanedUpSvg = cleanedUpSvg.replace(/marker-end="url\([/:A-Za-z-]*?#/g, 'marker-end="url(#');
   }
 
   cleanedUpSvg = decodeEntities(cleanedUpSvg);

From 55092f532f52df13c91e5e6e9dbdea33c40bd4b4 Mon Sep 17 00:00:00 2001
From: Knut Sveidqvist <knsv@sveido.com>
Date: Thu, 1 Jun 2023 17:39:54 +0200
Subject: [PATCH 2/2] #4446 Improved regular expression

---
 docs/config/setup/modules/mermaidAPI.md | 8 ++++----
 packages/mermaid/src/mermaidAPI.ts      | 5 ++++-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/docs/config/setup/modules/mermaidAPI.md b/docs/config/setup/modules/mermaidAPI.md
index ef04c10c3e..b5e48b2290 100644
--- a/docs/config/setup/modules/mermaidAPI.md
+++ b/docs/config/setup/modules/mermaidAPI.md
@@ -96,7 +96,7 @@ mermaid.initialize(config);
 
 #### Defined in
 
-[mermaidAPI.ts:667](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L667)
+[mermaidAPI.ts:670](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L670)
 
 ## Functions
 
@@ -127,7 +127,7 @@ Return the last node appended
 
 #### Defined in
 
-[mermaidAPI.ts:306](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L306)
+[mermaidAPI.ts:309](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L309)
 
 ---
 
@@ -295,7 +295,7 @@ Put the svgCode into an iFrame. Return the iFrame code
 
 #### Defined in
 
-[mermaidAPI.ts:285](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L285)
+[mermaidAPI.ts:288](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L288)
 
 ---
 
@@ -320,4 +320,4 @@ Remove any existing elements from the given document
 
 #### Defined in
 
-[mermaidAPI.ts:356](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L356)
+[mermaidAPI.ts:359](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L359)
diff --git a/packages/mermaid/src/mermaidAPI.ts b/packages/mermaid/src/mermaidAPI.ts
index 8e7f4d4b18..755fa82583 100644
--- a/packages/mermaid/src/mermaidAPI.ts
+++ b/packages/mermaid/src/mermaidAPI.ts
@@ -263,7 +263,10 @@ export const cleanUpSvgCode = (
 
   // Replace marker-end urls with just the # anchor (remove the preceding part of the URL)
   if (!useArrowMarkerUrls && !inSandboxMode) {
-    cleanedUpSvg = cleanedUpSvg.replace(/marker-end="url\([/:A-Za-z-]*?#/g, 'marker-end="url(#');
+    cleanedUpSvg = cleanedUpSvg.replace(
+      /marker-end="url\([\d+./:=?A-Za-z-]*?#/g,
+      'marker-end="url(#'
+    );
   }
 
   cleanedUpSvg = decodeEntities(cleanedUpSvg);