Explicitly close void elements #4926
Conversation
Previously `<br>` elements were explicitly closed. This was then undone by `dompurify` due to a misconfiguration. Now all void elements are explicitly autoclosed and `compurify` is configured to treat content as SVG, not HTML.
✅ Deploy Preview for mermaid-js ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## develop #4926 +/- ##
============================================
- Coverage 79.94% 43.29% -36.65%
============================================
Files 164 20 -144
Lines 13623 4721 -8902
Branches 693 21 -672
============================================
- Hits 10891 2044 -8847
- Misses 2583 2676 +93
+ Partials 149 1 -148
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Actually I don’t think this really fixes the issue. Should mermaid even produce valid SVG (what I need for |
| @@ -260,7 +263,7 @@ export const cleanUpSvgCode = ( | |||
| cleanedUpSvg = decodeEntities(cleanedUpSvg); | |||
|
|
|||
| // replace old br tags with newer style | |||
| cleanedUpSvg = cleanedUpSvg.replace(/<br>/g, '<br/>'); | |||
| cleanedUpSvg = cleanedUpSvg.replace(voidElementRegex, '<$1/>'); | |||
There was a problem hiding this comment.
This approach doesn’t work if the elements have a class name.
| @@ -501,6 +504,7 @@ const render = async function ( | |||
| } else if (!isLooseSecurityLevel) { | |||
| // Sanitize the svgCode using DOMPurify | |||
| svgCode = DOMPurify.sanitize(svgCode, { | |||
| NAMESPACE: 'http://www.w3.org/2000/svg', | |||
There was a problem hiding this comment.
So down here svgCode may still be invalid SVG (but valid HTML).
|
I decided to resolve this in |
I'd love mermaid to produce valid SVG all the time! Although we'd probably want some way to test it. Especially if we can get mermaid to produce SVG 1.1-compliant SVGs (the latest SVG spec that most non-browser environments, like Inkscape support). One issue is that Mermaid supports giving diagrams custom CSS, so users could add new CSS features that aren't part of SVG 1.1 (e.g. CSS Variables for light/dark-mode)). I think you're right, |
|
For SVG to be valid, it needs to be valid XML. For SVG to be safe to embed, it needs to be valid HTML. So typically this the SVG is semantically valid all the time (at least semantically) if it can be parsed by both an XML parser and an HTML parser. Currently Why is the output sanitized? I don’t think this is very useful if everything is generated by mermaid.
If you look at the diffs of the SVG files in remcohaszing/mermaid-isomorphic#3, you can see that this makes all HTML void elements and empty SVG elements self-closing, but keeps other HTML elements inside |
I believe it's so users can add HTML to their mermaid diagrams, e.g. ```mermaid
flowchart TD
A[<i>italics</i> <b>bold</b>]
```will be rendered as flowchart TD
A[<i>italics</i> <b>bold</b>]
And mermaid needs to sanitize to avoid XSS attacks.
👍 That's good to hear! I think some very very very old browsers might not support self-closing HTML elements, but even internet explorer supports it, so it shouldn't be anything we need to worry about! |
📑 Summary
Previously
<br>elements were explicitly closed. This was then undone bydompurifydue to a misconfiguration.Now all void elements are explicitly autoclosed and
compurifyis configured to treat content as SVG, not HTML.Resolves remcohaszing/rehype-mermaid#5
📏 Design Decisions
Possibly a better solution might be to use
XMLSerializerinstead ofinnerHTMLto createsvgCodeon line 496.📋 Tasks
Make sure you
MERMAID_RELEASE_VERSIONis used for all new features.developbranch