[pull] main from Milkdown:main#195
Merged
Merged
Conversation
…d v11+ flowcharts (#2332) * fix(components): allow foreignObject in code block preview for Mermaid v11+ flowcharts DOMPurify.sanitize() with default config strips foreignObject elements from SVG. Mermaid v11+ uses foreignObject for flowchart node labels, causing all text to disappear in the code block preview. * Create fix-dompurify-foreignobject.md * fix(components): use DOMPurify hook to restrict foreignObject to SVG context Address security review: instead of allowing foreignObject globally, use a DOMPurify hook to only permit it within SVG namespace. foreignObject outside SVG is a known mXSS vector (CVE-2020-26870). * fix(components): add HTML_INTEGRATION_POINTS to preserve foreignObject content fix(components): add HTML_INTEGRATION_POINTS to preserve foreignObject content ADD_TAGS: ['foreignObject'] allows the element itself to survive sanitization, but DOMPurify still treats its children as SVG context and strips standard HTML elements (div, span, p) inside it. HTML_INTEGRATION_POINTS: { foreignobject: true } tells DOMPurify that foreignObject switches the parsing context back to HTML namespace, so child elements are sanitized as HTML — not rejected as invalid SVG. This matches Mermaid's own internal DOMPurify configuration. The uponSanitizeElement hook still restricts foreignObject to SVG context only, addressing the mXSS concern from the previous review. * fix: type error * chore: remove changeset in favour of automatic generator --------- Co-authored-by: Saul-Mirone <Saul-Mirone@outlook.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )