Skip to content

Fix XSS vulnerability in Mermaid diagram rendering#18

Open
7sg56 wants to merge 1 commit intomainfrom
fix-xss-vulnerability-490713295524379380
Open

Fix XSS vulnerability in Mermaid diagram rendering#18
7sg56 wants to merge 1 commit intomainfrom
fix-xss-vulnerability-490713295524379380

Conversation

@7sg56
Copy link
Owner

@7sg56 7sg56 commented Feb 13, 2026

This PR fixes a critical security vulnerability where Mermaid diagrams were rendered directly into the DOM using innerHTML without sanitization.

Vulnerability

The SimplePreview component was taking user input (Mermaid code), rendering it to SVG, and then setting innerHTML directly. Since Mermaid's securityLevel is set to loose, this allowed malicious payloads (e.g., <img src=x onerror=alert(1)>) to be injected and executed.

Solution

We introduced dompurify to sanitize the SVG string before insertion. The sanitization is configured to:

  • Allow SVG and HTML profiles.
  • Explicitly allow foreignObject tags, which are necessary for Mermaid's HTML labels.
  • Explicitly allow target attribute.

Verification

  • Verified that XSS vectors are neutralized.
  • Verified that normal diagrams (including those with HTML labels if applicable) still render correctly.

PR created automatically by Jules for task 490713295524379380 started by @7sg56

@google-labs-jules @7sg56
Fix XSS vulnerability in SimplePreview.tsx
12e6ead 
- Sanitize Mermaid SVG output using DOMPurify before innerHTML assignment.
- Configure DOMPurify to allow foreignObject (for HTML labels) and target attribute.
- Install dompurify and @types/dompurify dependencies.

Co-authored-by: 7sg56 <102475617+7sg56@users.noreply.github.com>
@google-labs-jules
Copy link
Contributor

google-labs-jules bot commented Feb 13, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@netlify
Copy link

netlify bot commented Feb 13, 2026
edited
Loading

Deploy Preview for colduml ready!

Name Link
🔨 Latest commit 12e6ead
🔍 Latest deploy log https://app.netlify.com/projects/colduml/deploys/698ec1820b72bd0007aff331
😎 Deploy Preview https://deploy-preview-18--colduml.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@7sg56