fix: shifted dompurify.addhook functions inside removescript

mermaid-js · Oct 23, 2023 · 7960f94 · 7960f94
1 parent 3f486ac
commit 7960f94
Showing 1 changed file with 19 additions and 17 deletions.
diff --git a/packages/mermaid/src/diagrams/common/common.ts b/packages/mermaid/src/diagrams/common/common.ts
@@ -25,26 +25,28 @@ export const getRows = (s?: string): string[] => {
  * @returns The safer text
  */
 export const removeScript = (txt: string): string => {
-  return DOMPurify.sanitize(txt);
-};
+  const TEMPORARY_ATTRIBUTE = 'data-temp-href-target';
 
-const TEMPORARY_ATTRIBUTE = 'data-temp-href-target';
+  DOMPurify.addHook('beforeSanitizeAttributes', (node: Element) => {
+    if (node.tagName === 'A' && node.hasAttribute('target')) {
+      node.setAttribute(TEMPORARY_ATTRIBUTE, node.getAttribute('target') || '');
+    }
+  });
 
-DOMPurify.addHook('beforeSanitizeAttributes', (node: Element) => {
-  if (node.tagName === 'A' && node.hasAttribute('target')) {
-    node.setAttribute(TEMPORARY_ATTRIBUTE, node.getAttribute('target') || '');
-  }
-});
-
-DOMPurify.addHook('afterSanitizeAttributes', (node: Element) => {
-  if (node.tagName === 'A' && node.hasAttribute(TEMPORARY_ATTRIBUTE)) {
-    node.setAttribute('target', node.getAttribute(TEMPORARY_ATTRIBUTE) || '');
-    node.removeAttribute(TEMPORARY_ATTRIBUTE);
-    if (node.getAttribute('target') === '_blank') {
-      node.setAttribute('rel', 'noopener');
+  const sanitizedText = DOMPurify.sanitize(txt);
+
+  DOMPurify.addHook('afterSanitizeAttributes', (node: Element) => {
+    if (node.tagName === 'A' && node.hasAttribute(TEMPORARY_ATTRIBUTE)) {
+      node.setAttribute('target', node.getAttribute(TEMPORARY_ATTRIBUTE) || '');
+      node.removeAttribute(TEMPORARY_ATTRIBUTE);
+      if (node.getAttribute('target') === '_blank') {
+        node.setAttribute('rel', 'noopener');
+      }
     }
-  }
-});
+  });
+
+  return sanitizedText;
+};
 
 const sanitizeMore = (text: string, config: MermaidConfig) => {
   if (config.flowchart?.htmlLabels !== false) {