Bad Sanitization in Mermaid.js leading to XSS

We discussed this vulnerability during Episode 111 on 17 January 2022

if you’re going to apply a blacklist to remove content…perform it recursively.

const sanitizeUrl = function (s) {
  return s
    .replace(/&/g, '&')
    .replace(/</g, '&lt;')
    .replace(/javascript:/g, '');
};
...
var sanitizedLink = sanitizeUrl(links[key]);

Should trigger some alarm bells because its removing that javascript: string, but only running once. Classic blacklist bypass: javajavasacript:script: it removes the middle javascript: and the resulting strict in javascript:.

Two other issues were found in addLinks and addALink though both are in effect the same issue. The normal flow would sanitize the links for their use in labels and then add the sanitized links to a list to be reused later in a display showing the links. When htmlLabels was enabled, the links would not undergo the initial sanitation, so when the popup link box would use them they would only have to contend with the bypassable sanitizeUrl.