Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cross site scripting in mermaid #869

5alt opened this issue Jul 3, 2019 · 3 comments

cross site scripting in mermaid #869

5alt opened this issue Jul 3, 2019 · 3 comments


Copy link

@5alt 5alt commented Jul 3, 2019

Hi, I found XSS issues in mermaid. This affects all the projects that use mermaid.

There are three different ways to trigger.

The first one:

graph TD
B --> C{<script src= ></script>}

The second one:

graph LR;
    click B callback "<script src= ></script>"

The third one(needs click, both nodes will work):

graph LR;
    click alert`md5_salt` eval "Tooltip for a callback"
    click B "javascript:alert`salt`" "This is a tooltip for a link"

Here is an example that affects other projects which using mermaid.

And all above three payload would work on

Hope you can fix soon!

Copy link

@knsv knsv commented Jul 5, 2019

Hi, I think this is a duplicate of #847. I will close this one. I will move your example there. If you disagree of the overlap reopen with a comment.

Copy link

@5alt 5alt commented Jul 5, 2019

#847 is only the 1st case in this issue, and there are three cases in this issue.

I don't think your fix of #847 will apply for the last case.

Copy link

@ThePenguin1140 ThePenguin1140 commented Jul 6, 2019

We should extend the scope of #847 then.
@knsv has added your example to the issue so please watch it for any relevant updates. I will close this issue for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants