Commit a31eb11c authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-mermaid-block' into '12-3-stable'

Only render fixed number of mermaid blocks

See merge request gitlab/gitlabhq!3411
parents 9c86027e bc97126e
...@@ -36,6 +36,8 @@ export default function renderMermaid($els) { ...@@ -36,6 +36,8 @@ export default function renderMermaid($els) {
securityLevel: 'strict', securityLevel: 'strict',
}); });
let renderedChars = 0;
$els.each((i, el) => { $els.each((i, el) => {
// Mermaid doesn't like `<br />` tags, so collapse all like tags into `<br>`, which is parsed correctly. // Mermaid doesn't like `<br />` tags, so collapse all like tags into `<br>`, which is parsed correctly.
const source = el.textContent.replace(/<br\s*\/>/g, '<br>'); const source = el.textContent.replace(/<br\s*\/>/g, '<br>');
...@@ -45,7 +47,7 @@ export default function renderMermaid($els) { ...@@ -45,7 +47,7 @@ export default function renderMermaid($els) {
* prevent mermaidjs from hanging up the entire thread and * prevent mermaidjs from hanging up the entire thread and
* causing a DoS. * causing a DoS.
*/ */
if (source && source.length > MAX_CHAR_LIMIT) { if ((source && source.length > MAX_CHAR_LIMIT) || renderedChars > MAX_CHAR_LIMIT) {
el.textContent = sprintf( el.textContent = sprintf(
__( __(
'Cannot render the image. Maximum character count (%{charLimit}) has been exceeded.', 'Cannot render the image. Maximum character count (%{charLimit}) has been exceeded.',
...@@ -55,6 +57,7 @@ export default function renderMermaid($els) { ...@@ -55,6 +57,7 @@ export default function renderMermaid($els) {
return; return;
} }
renderedChars += source.length;
// Remove any extra spans added by the backend syntax highlighting. // Remove any extra spans added by the backend syntax highlighting.
Object.assign(el, { textContent: source }); Object.assign(el, { textContent: source });
......
---
title: Only render fixed number of mermaid blocks
merge_request:
author:
type: security
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment