diff --git a/cypress/integration/other/xss.spec.js b/cypress/integration/other/xss.spec.js
index 678040f98a..d041fa5f4c 100644
--- a/cypress/integration/other/xss.spec.js
+++ b/cypress/integration/other/xss.spec.js
@@ -137,4 +137,9 @@ describe('XSS', () => {
cy.wait(1000);
cy.get('#the-malware').should('not.exist');
});
+ it('should sanitize backticks block diagram labels properly', () => {
+ cy.visit('http://localhost:9000/xss25.html');
+ cy.wait(1000);
+ cy.get('#the-malware').should('not.exist');
+ });
});
diff --git a/cypress/platform/xss25.html b/cypress/platform/xss25.html
new file mode 100644
index 0000000000..251e1ec23f
--- /dev/null
+++ b/cypress/platform/xss25.html
@@ -0,0 +1,108 @@
+
+
+
+
+
+
+
+
+
+
+ Security check
+
+
+
+
diff --git a/packages/mermaid/src/diagrams/block/blockDB.ts b/packages/mermaid/src/diagrams/block/blockDB.ts
index f4881a203b..b343a110c7 100644
--- a/packages/mermaid/src/diagrams/block/blockDB.ts
+++ b/packages/mermaid/src/diagrams/block/blockDB.ts
@@ -1,9 +1,11 @@
import type { DiagramDB } from '../../diagram-api/types.js';
import type { BlockConfig, BlockType, Block, ClassDef } from './blockTypes.js';
import * as configApi from '../../config.js';
+import { getConfig } from '../../diagram-api/diagramAPI.js';
import { clear as commonClear } from '../common/commonDb.js';
import { log } from '../../logger.js';
import clone from 'lodash-es/clone.js';
+import common from '../common/common.js';
// Initialize the node database for simple lookups
let blockDatabase: Record = {};
@@ -14,9 +16,12 @@ const COLOR_KEYWORD = 'color';
const FILL_KEYWORD = 'fill';
const BG_FILL = 'bgFill';
const STYLECLASS_SEP = ',';
+const config = getConfig();
let classes = {} as Record;
+const sanitizeText = (txt) => common.sanitizeText(txt, config);
+
/**
* Called when the parser comes across a (style) class definition
* @example classDef my-style fill:#f96;
@@ -87,6 +92,9 @@ const populateBlockDatabase = (_blockList: Block[] | Block[][], parent: Block):
const blockList = _blockList.flat();
const children = [];
for (const block of blockList) {
+ if (block.label) {
+ block.label = sanitizeText(block.label);
+ }
if (block.type === 'classDef') {
addStyleClass(block.id, block.css);
continue;