Skip to content

Commit 949602b

Browse files
authored
Merge commit from fork
[v10] fix: create CSS styles using the CSSOM
2 parents 810db06 + 2a999ed commit 949602b

11 files changed

Lines changed: 192 additions & 90 deletions

File tree

.cspell/code-terms.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,7 @@ SUBROUTINEEND
112112
SUBROUTINESTART
113113
Subschemas
114114
substr
115+
SVGSVGElement
115116
TAGEND
116117
TAGSTART
117118
techn

cypress/integration/other/ghsa.spec.js

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
import { urlSnapshotTest, openURLAndVerifyRendering } from '../../helpers/util.ts';
1+
import { urlSnapshotTest, openURLAndVerifyRendering, imgSnapshotTest } from '../../helpers/util.ts';
22

33
describe('CSS injections', () => {
44
it('should not allow CSS injections outside of the diagram', () => {
@@ -31,4 +31,14 @@ describe('CSS injections', () => {
3131
'url("https://example.test/3.png")'
3232
);
3333
});
34+
it('should prevent HTML injection via class definitions', () => {
35+
imgSnapshotTest(
36+
`stateDiagram-v2
37+
classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div id="pwned" style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
38+
[*] --> A:::xss
39+
`,
40+
{ logLevel: 1 }
41+
);
42+
cy.get('body > div #pwned').should('not.exist');
43+
});
3444
});

cypress/integration/rendering/theme.spec.js

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,16 @@ describe('themeCSS balancing, it', () => {
2525
});
2626
});
2727

28+
it('themeCSS - should work', () => {
29+
const themeCSS = `.nodeLabel {
30+
font-variant-caps: petite-caps;
31+
}`;
32+
imgSnapshotTest("flowchart TD; A['Hello World']", {
33+
themeCSS,
34+
});
35+
cy.get('.nodeLabel').should('have.css', 'font-variant-caps', 'petite-caps');
36+
});
37+
2838
// TODO: Delete/Rename this describe, keeping the inner contents.
2939
describe('Pie Chart', () => {
3040
// beforeEach(()=>{

docs/config/setup/interfaces/mermaidAPI.ParseOptions.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,4 +16,4 @@
1616

1717
#### Defined in
1818

19-
[mermaidAPI.ts:61](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L61)
19+
[mermaidAPI.ts:62](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L62)

docs/config/setup/interfaces/mermaidAPI.RenderResult.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ bindFunctions?.(div); // To call bindFunctions only if it's present.
3939
4040
#### Defined in
4141
42-
[mermaidAPI.ts:81](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L81)
42+
[mermaidAPI.ts:82](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L82)
4343
4444
---
4545
@@ -51,4 +51,4 @@ The svg code for the rendered graph.
5151
5252
#### Defined in
5353
54-
[mermaidAPI.ts:71](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L71)
54+
[mermaidAPI.ts:72](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L72)

docs/config/setup/modules/mermaidAPI.md

Lines changed: 23 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ Renames and re-exports [mermaidAPI](mermaidAPI.md#mermaidapi)
2525

2626
#### Defined in
2727

28-
[mermaidAPI.ts:65](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L65)
28+
[mermaidAPI.ts:66](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L66)
2929

3030
## Variables
3131

@@ -96,13 +96,13 @@ mermaid.initialize(config);
9696

9797
#### Defined in
9898

99-
[mermaidAPI.ts:610](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L610)
99+
[mermaidAPI.ts:633](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L633)
100100

101101
## Functions
102102

103103
### appendDivSvgG
104104

105-
**appendDivSvgG**(`parentRoot`, `id`, `enclosingDivId`, `divStyle?`, `svgXlink?`): `any`
105+
**appendDivSvgG**(`parentRoot`, `id`, `enclosingDivId`, `divStyle?`, `svgXlink?`): `D3HtmlSelection`<`HTMLElement`> | `D3HtmlSelection`<`Element`>
106106

107107
Append an enclosing div, then svg, then g (group) to the d3 parentRoot. Set attributes.
108108
Only set the style attribute on the enclosing div if divStyle is given.
@@ -111,23 +111,23 @@ Return the last node appended
111111

112112
#### Parameters
113113

114-
| Name | Type | Description |
115-
| :--------------- | :------- | :----------------------------------------------- |
116-
| `parentRoot` | `any` | the d3 node to append things to |
117-
| `id` | `string` | the value to set the id attr to |
118-
| `enclosingDivId` | `string` | the id to set the enclosing div to |
119-
| `divStyle?` | `string` | if given, the style to set the enclosing div to |
120-
| `svgXlink?` | `string` | if given, the link to set the new svg element to |
114+
| Name | Type | Description |
115+
| :--------------- | :--------------------------------------------------------------- | :----------------------------------------------- |
116+
| `parentRoot` | `D3HtmlSelection`<`HTMLElement`> \| `D3HtmlSelection`<`Element`> | the d3 node to append things to |
117+
| `id` | `string` | the value to set the id attr to |
118+
| `enclosingDivId` | `string` | the id to set the enclosing div to |
119+
| `divStyle?` | `string` | if given, the style to set the enclosing div to |
120+
| `svgXlink?` | `string` | if given, the link to set the new svg element to |
121121

122122
#### Returns
123123

124-
`any`
124+
`D3HtmlSelection`<`HTMLElement`> | `D3HtmlSelection`<`Element`>
125125

126126
- returns the parentRoot that had nodes appended
127127

128128
#### Defined in
129129

130-
[mermaidAPI.ts:265](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L265)
130+
[mermaidAPI.ts:285](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L285)
131131

132132
---
133133

@@ -153,7 +153,7 @@ the cleaned up svgCode
153153

154154
#### Defined in
155155

156-
[mermaidAPI.ts:211](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L211)
156+
[mermaidAPI.ts:231](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L231)
157157

158158
---
159159

@@ -178,7 +178,7 @@ the string with all the user styles
178178

179179
#### Defined in
180180

181-
[mermaidAPI.ts:141](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L141)
181+
[mermaidAPI.ts:142](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L142)
182182

183183
---
184184

@@ -193,15 +193,15 @@ the string with all the user styles
193193
| `config` | `MermaidConfig` |
194194
| `graphType` | `string` |
195195
| `classDefs` | `undefined` \| `Record`<`string`, `DiagramStyleClassDef`> |
196-
| `svgId` | `string` |
196+
| `svgId` | \`#${string}\` |
197197

198198
#### Returns
199199

200200
`string`
201201

202202
#### Defined in
203203

204-
[mermaidAPI.ts:188](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L188)
204+
[mermaidAPI.ts:207](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L207)
205205

206206
---
207207

@@ -228,7 +228,7 @@ with an enclosing block that has each of the cssClasses followed by !important;
228228

229229
#### Defined in
230230

231-
[mermaidAPI.ts:125](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L125)
231+
[mermaidAPI.ts:126](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L126)
232232

233233
---
234234

@@ -240,10 +240,10 @@ Put the svgCode into an iFrame. Return the iFrame code
240240

241241
#### Parameters
242242

243-
| Name | Type | Default value | Description |
244-
| :------------ | :------- | :------------ | :--------------------------------------------------------------------------- |
245-
| `svgCode` | `string` | `''` | the svg code to put inside the iFrame |
246-
| `svgElement?` | `any` | `undefined` | the d3 node that has the current svgElement so we can get the height from it |
243+
| Name | Type | Default value | Description |
244+
| :------------ | :-------------- | :------------ | :--------------------------------------------------------------------------- |
245+
| `svgCode` | `string` | `''` | the svg code to put inside the iFrame |
246+
| `svgElement?` | `SVGSVGElement` | `undefined` | the d3 node that has the current svgElement so we can get the height from it |
247247

248248
#### Returns
249249

@@ -254,7 +254,7 @@ Put the svgCode into an iFrame. Return the iFrame code
254254

255255
#### Defined in
256256

257-
[mermaidAPI.ts:242](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L242)
257+
[mermaidAPI.ts:262](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L262)
258258

259259
---
260260

@@ -279,4 +279,4 @@ Remove any existing elements from the given document
279279

280280
#### Defined in
281281

282-
[mermaidAPI.ts:315](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L315)
282+
[mermaidAPI.ts:338](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L338)

packages/mermaid/src/diagram-api/types.ts

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,14 @@ export interface DiagramDB {
4444
// It makes it clear we're working with a style class definition, even though defining the type is currently difficult.
4545
export interface DiagramStyleClassDef {
4646
id: string;
47+
/**
48+
* The styles to apply to the class for HTML rendering.
49+
* These are expected to be CSS property declarations without a trailing semicolon, e.g. `color: red`.
50+
*/
4751
styles?: string[];
52+
/**
53+
* The styles to apply to `<tspan>` elements with the given class.
54+
*/
4855
textStyles?: string[];
4956
}
5057

0 commit comments

Comments
 (0)