From 1cb2db5353b0ff6488d9298a6f11851363677ce5 Mon Sep 17 00:00:00 2001
From: Max Wu <jackymaxj@gmail.com>
Date: Sun, 28 Jul 2019 11:43:02 +0800
Subject: [PATCH 1/3] Upgrade mermaid to 8.2.3

to avoid XSS inside the svg tag

Signed-off-by: Max Wu <jackymaxj@gmail.com>
---
 package.json                 |  2 +-
 public/js/extra.js           | 11 +++--------
 public/views/codimd/foot.ejs |  2 +-
 public/views/pretty.ejs      |  2 +-
 public/views/slide.ejs       |  2 +-
 5 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/package.json b/package.json
index 7a94dee09..bf8dfe410 100644
--- a/package.json
+++ b/package.json
@@ -91,7 +91,7 @@
     "markdown-pdf": "~9.0.0",
     "mathjax": "~2.7.0",
     "mattermost-redux": "^5.9.0",
-    "mermaid": "~7.1.0",
+    "mermaid": "^8.2.3",
     "method-override": "~2.3.7",
     "minimist": "~1.2.0",
     "minio": "~6.0.0",
diff --git a/public/js/extra.js b/public/js/extra.js
index fb78a8c4a..7b33d263a 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -387,19 +387,14 @@ export function finishView (view) {
       var $value = $(value)
       const $ele = $(value).closest('pre')
 
-      window.mermaid.mermaidAPI.parse($value.text())
+      window.mermaid.parse($value.text())
       $ele.addClass('mermaid')
       $ele.html($value.text())
       window.mermaid.init(undefined, $ele)
     } catch (err) {
-      var errormessage = err
-      if (err.str) {
-        errormessage = err.str
-      }
-
       $value.unwrap()
-      $value.parent().append(`<div class="alert alert-warning">${escapeHTML(errormessage)}</div>`)
-      console.warn(errormessage)
+      $value.parent().append(`<div class="alert alert-warning">${S(err.str).escapeHTML().s}</div>`)
+      console.warn(err)
     }
   })
   // abc.js
diff --git a/public/views/codimd/foot.ejs b/public/views/codimd/foot.ejs
index d054279e2..61bb10d61 100644
--- a/public/views/codimd/foot.ejs
+++ b/public/views/codimd/foot.ejs
@@ -10,7 +10,7 @@
 <script src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/config/TeX-AMS-MML_HTMLorMML.js" integrity="sha256-immzXfCGLhnx3Zfi9F/dUcqxEM8K3o3oTFy9Bh6HCwg=" crossorigin="anonymous" defer></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/config/Safe.js" integrity="sha256-0ygBUDksNDXZS4vm5HMNH1a33KUu6QT1cdNTN+ZLF+4=" crossorigin="anonymous" defer></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.17.1/moment-with-locales.min.js" integrity="sha256-vvT7Ok9u6GbfnBPXnbM6FVDEO8E1kTdgHOFZOAXrktA=" crossorigin="anonymous" defer></script>
-<script src="https://cdnjs.cloudflare.com/ajax/libs/mermaid/7.1.0/mermaid.min.js" integrity="sha256-M3OC0Q6g4/+Q4j73OvnsnA+lMkdAE5KgupRHqTiPbnI=" crossorigin="anonymous" defer></script>
+<script src="https://cdnjs.cloudflare.com/ajax/libs/mermaid/8.2.3/mermaid.min.js" integrity="sha256-4s3fF5e1iWRLtiV7mRev7n17oALqqDHbWrNqF3/r7jU=" crossorigin="anonymous" defer></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/emojify.js/1.1.0/js/emojify.min.js" integrity="sha256-VAB5tAlKBvgaxw8oJ1crWMVbdmBVl4mP/2M8MNRl+4E=" crossorigin="anonymous" defer></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.2/lodash.min.js" integrity="sha256-Cv5v4i4SuYvwRYzIONifZjoc99CkwfncROMSWat1cVA=" crossorigin="anonymous" defer></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/socket.io/2.1.1/socket.io.js" integrity="sha256-ji09tECORKvr8xB9iCl8DJ8iNMLriDchC1+p+yt1hSs=" crossorigin="anonymous"></script>
diff --git a/public/views/pretty.ejs b/public/views/pretty.ejs
index 12561a3f6..6bdcf9bcf 100644
--- a/public/views/pretty.ejs
+++ b/public/views/pretty.ejs
@@ -82,7 +82,7 @@
 <script src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/config/TeX-AMS-MML_HTMLorMML.js" integrity="sha256-immzXfCGLhnx3Zfi9F/dUcqxEM8K3o3oTFy9Bh6HCwg=" crossorigin="anonymous" defer></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/config/Safe.js" integrity="sha256-0ygBUDksNDXZS4vm5HMNH1a33KUu6QT1cdNTN+ZLF+4=" crossorigin="anonymous" defer></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.17.1/moment-with-locales.min.js" integrity="sha256-vvT7Ok9u6GbfnBPXnbM6FVDEO8E1kTdgHOFZOAXrktA=" crossorigin="anonymous" defer></script>
-<script src="https://cdnjs.cloudflare.com/ajax/libs/mermaid/7.1.0/mermaid.min.js" integrity="sha256-M3OC0Q6g4/+Q4j73OvnsnA+lMkdAE5KgupRHqTiPbnI=" crossorigin="anonymous" defer></script>
+<script src="https://cdnjs.cloudflare.com/ajax/libs/mermaid/8.2.3/mermaid.min.js" integrity="sha256-4s3fF5e1iWRLtiV7mRev7n17oALqqDHbWrNqF3/r7jU=" crossorigin="anonymous" defer></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/emojify.js/1.1.0/js/emojify.min.js" integrity="sha256-VAB5tAlKBvgaxw8oJ1crWMVbdmBVl4mP/2M8MNRl+4E=" crossorigin="anonymous" defer></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.0.6/handlebars.min.js" integrity="sha256-1O3BtOwnPyyRzOszK6P+gqaRoXHV6JXj8HkjZmPYhCI=" crossorigin="anonymous" defer></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js" integrity="sha256-/BfiIkHlHoVihZdc6TFuj7MmJ0TWcWsMXkeDFwhi0zw=" crossorigin="anonymous" defer></script>
diff --git a/public/views/slide.ejs b/public/views/slide.ejs
index a92e1daee..b7d73bfd9 100644
--- a/public/views/slide.ejs
+++ b/public/views/slide.ejs
@@ -98,7 +98,7 @@
         <script src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/config/TeX-AMS-MML_HTMLorMML.js" integrity="sha256-immzXfCGLhnx3Zfi9F/dUcqxEM8K3o3oTFy9Bh6HCwg=" crossorigin="anonymous" defer></script>
         <script src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/config/Safe.js" integrity="sha256-0ygBUDksNDXZS4vm5HMNH1a33KUu6QT1cdNTN+ZLF+4=" crossorigin="anonymous" defer></script>
         <script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.17.1/moment-with-locales.min.js" integrity="sha256-vvT7Ok9u6GbfnBPXnbM6FVDEO8E1kTdgHOFZOAXrktA=" crossorigin="anonymous" defer></script>
-        <script src="https://cdnjs.cloudflare.com/ajax/libs/mermaid/7.1.0/mermaid.min.js" integrity="sha256-M3OC0Q6g4/+Q4j73OvnsnA+lMkdAE5KgupRHqTiPbnI=" crossorigin="anonymous" defer></script>
+        <script src="https://cdnjs.cloudflare.com/ajax/libs/mermaid/8.2.3/mermaid.min.js" integrity="sha256-4s3fF5e1iWRLtiV7mRev7n17oALqqDHbWrNqF3/r7jU=" crossorigin="anonymous" defer></script>
         <script src="https://cdnjs.cloudflare.com/ajax/libs/emojify.js/1.1.0/js/emojify.min.js" integrity="sha256-VAB5tAlKBvgaxw8oJ1crWMVbdmBVl4mP/2M8MNRl+4E=" crossorigin="anonymous" defer></script>
         <script src="https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.0.6/handlebars.min.js" integrity="sha256-1O3BtOwnPyyRzOszK6P+gqaRoXHV6JXj8HkjZmPYhCI=" crossorigin="anonymous" defer></script>
         <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js" integrity="sha256-/BfiIkHlHoVihZdc6TFuj7MmJ0TWcWsMXkeDFwhi0zw=" crossorigin="anonymous" defer></script>

From b1abfd69cbe937d935de3d4377ef8453f9b490aa Mon Sep 17 00:00:00 2001
From: Max Wu <jackymaxj@gmail.com>
Date: Sun, 28 Jul 2019 19:51:59 +0800
Subject: [PATCH 2/3] fix: use lodash escapeHTML

Signed-off-by: Max Wu <jackymaxj@gmail.com>
---
 public/js/extra.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/js/extra.js b/public/js/extra.js
index 7b33d263a..d0a7c2d27 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -393,7 +393,7 @@ export function finishView (view) {
       window.mermaid.init(undefined, $ele)
     } catch (err) {
       $value.unwrap()
-      $value.parent().append(`<div class="alert alert-warning">${S(err.str).escapeHTML().s}</div>`)
+      $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err.str)}</div>`)
       console.warn(err)
     }
   })

From 05703fa1c5402b297d2552e10b4b1c54e88780a4 Mon Sep 17 00:00:00 2001
From: Max Wu <jackymaxj@gmail.com>
Date: Sun, 28 Jul 2019 19:56:55 +0800
Subject: [PATCH 3/3] fix: code style

Signed-off-by: Max Wu <jackymaxj@gmail.com>
---
 lib/web/middleware/tooBusy.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/web/middleware/tooBusy.js b/lib/web/middleware/tooBusy.js
index 78f3e49a7..f7c0850fd 100644
--- a/lib/web/middleware/tooBusy.js
+++ b/lib/web/middleware/tooBusy.js
@@ -5,7 +5,7 @@ const toobusy = require('toobusy-js')
 const config = require('../../config')
 const response = require('../../response')
 
-toobusy.maxLag(config.responseMaxLag);
+toobusy.maxLag(config.responseMaxLag)
 
 module.exports = function (req, res, next) {
   if (toobusy()) {