chore: fix a few security vulnerabilities

src/diagrams/class/classDb.js

@@ -326,7 +326,7 @@ const setupToolTips = function (element) {
 
       tooltipElem.transition().duration(200).style('opacity', '.9');
       tooltipElem
-        .html(el.attr('title'))
+        .text(el.attr('title'))
         .style('left', window.scrollX + rect.left + (rect.right - rect.left) / 2 + 'px')
         .style('top', window.scrollY + rect.top - 14 + document.body.scrollTop + 'px');
       el.classed('hover', true);

src/diagrams/common/common.js

@@ -57,11 +57,11 @@ export const removeScript = (txt) => {
     }
   }
   let decodedText = removeEscapes(rs);
-  decodedText = decodedText.replace(/script>/gi, '#');
-  decodedText = decodedText.replace(/javascript:/gi, '#');
-  decodedText = decodedText.replace(/javascript&colon/gi, '#');
-  decodedText = decodedText.replace(/onerror=/gi, 'onerror:');
-  decodedText = decodedText.replace(/<iframe/gi, '');
+  decodedText = decodedText.replaceAll(/script>/gi, '#');
+  decodedText = decodedText.replaceAll(/javascript:/gi, '#');
+  decodedText = decodedText.replaceAll(/javascript&colon/gi, '#');
+  decodedText = decodedText.replaceAll(/onerror=/gi, 'onerror:');
+  decodedText = decodedText.replaceAll(/<iframe/gi, '');
   return decodedText;
 };
 

src/diagrams/common/common.spec.js

@@ -1,6 +1,14 @@
 import { sanitizeText, removeScript, removeEscapes } from './common';
 
 describe('when securityLevel is antiscript, all script must be removed', function () {
+  /**
+   * @param {string} original The original text
+   * @param {string} result The expected sanitized text
+   */
+  function compareRemoveScript(original, result) {
+    expect(removeScript(original)).toEqual(result);
+  }
+
   it('should remove all script block, script inline.', function () {
     const labelString = `1
 		Act1: Hello 1<script src="http://abc.com/script1.js"></script>1
@@ -9,19 +17,34 @@ describe('when securityLevel is antiscript, all script must be removed', functio
 			alert('script run......');
 		</script>1
 	1`;
-
-    const result = removeScript(labelString);
-    const hasScript = result.indexOf('script') >= 0;
-    expect(hasScript).toEqual(false);
-
     const exactlyString = `1
 		Act1: Hello 11
 		<b>Act2</b>:
 		11
 	1`;
+    compareRemoveScript(labelString, exactlyString);
+  });
+
+  it('should remove all javascript urls', function () {
+    compareRemoveScript(
+      `This is a <a href="javascript:runHijackingScript();">clean link</a> + <a href="javascript:runHijackingScript();">clean link</a>
+  and <a href="javascript&colon;bipassedMining();">me too</a>`,
+      `This is a <a href="#runHijackingScript();">clean link</a> + <a href="#runHijackingScript();">clean link</a>
+  and <a href="#;bipassedMining();">me too</a>`
+    );
+  });
+
+  it('should detect malicious images', function () {
+    compareRemoveScript(`<img onerror="alert('hello');">`, `<img onerror:"alert('hello');">`);
+  });
 
-    const isEqual = result == exactlyString;
-    expect(isEqual).toEqual(true);
+  it('should detect iframes', function () {
+    compareRemoveScript(
+      `<iframe src="http://abc.com/script1.js"></iframe>
+    <iframe src="http://example.com/iframeexample"></iframe>`,
+      ` src="http://abc.com/script1.js"></iframe>
+     src="http://example.com/iframeexample"></iframe>`
+    );
   });
 });
 

src/diagrams/flowchart/flowDb.js

@@ -417,7 +417,7 @@ const setupToolTips = function (element) {
 
       tooltipElem.transition().duration(200).style('opacity', '.9');
       tooltipElem
-        .html(el.attr('title'))
+        .text(el.attr('title'))
         .style('left', window.scrollX + rect.left + (rect.right - rect.left) / 2 + 'px')
         .style('top', window.scrollY + rect.top - 14 + document.body.scrollTop + 'px');
       el.classed('hover', true);