Added markdown-it-mermaid for some charts support in all input fields. Replaced xss with dompurify.

Thanks to xuguotong and xet7 ! Fixes #3794
2026-02-19 06:28:06 +01:00 · 2021-05-07 02:13:20 +03:00 · 2021-05-07 02:13:20 +03:00 · 5ab20a9257
commit 5ab20a9257
parent 88e4918208
6 changed files with 5604 additions and 889 deletions
--- a/packages/markdown/src/checkNpmVersions.js
+++ b/packages/markdown/src/checkNpmVersions.js
@ -1,5 +1,5 @@
 import { checkNpmVersions } from 'meteor/tmeasday:check-npm-versions';

 checkNpmVersions({
-    'xss': '1.0.8',
+    'dompurify': '2.2.8',
 }, 'my:xss');
--- a/packages/markdown/src/template-integration.js
+++ b/packages/markdown/src/template-integration.js
@ -1,4 +1,5 @@
-import sanitizeXss from 'xss';
+import DOMPurify from 'dompurify';
+
 var Markdown = require('markdown-it')({
  html: true,
  linkify: true,
@ -6,7 +7,9 @@ var Markdown = require('markdown-it')({
  breaks: true,
 });

+import markdownItMermaid from "@liradb2000/markdown-it-mermaid";

+/*
 // Static URL Scheme Listing
 var urlschemes = [
  "aodroplink",
@ -19,7 +22,7 @@ var urlschemes = [
  "mailspring"
 ];

-// Better would be a field in the admin backend to set this dynamically 
+// Better would be a field in the admin backend to set this dynamically
 // instead of putting all known or wanted url schemes here hard into code
 // but i was not able to access those settings
 // var urlschemes = currentSetting.automaticLinkedUrlSchemes.split('\n');
@ -44,14 +47,18 @@ function mySafeAttrValue(tag, name, value, cssFilter) {
      // use the default safeAttrValue function to process all non cbthunderlinks
      return sanitizeXss.safeAttrValue(tag, name, value, cssFilter);
    }
+//  } else if (tag === 'svg') {
+//    return `<img src="data:image/svg+xml;base64,` + atob(value) + `"></img>`;
  } else {
    // use the default safeAttrValue function to process it
    return sanitizeXss.safeAttrValue(tag, name, value, cssFilter);
  }
 };
+*/

 var emoji = require('markdown-it-emoji');
 Markdown.use(emoji);
+Markdown.use(markdownItMermaid);

 if (Package.ui) {
  const Template = Package.templating.Template;
@ -66,6 +73,6 @@ if (Package.ui) {
      text = Blaze._toText(self.templateContentBlock, HTML.TEXTMODE.STRING);
    }

-    return HTML.Raw(sanitizeXss(Markdown.render(text), { safeAttrValue: mySafeAttrValue }));
+    return HTML.Raw(DOMPurify.sanitize(Markdown.render(text), {ALLOW_UNKNOWN_PROTOCOLS: true}));
  }));
 }