A xss on the newest version

[fr4nk404]

XSS

There is a xss in the newest version via a label named mermaid
When we insert codes like this:

graph LR
id1["<iframe src=javascript:alert('xss')></iframe>"]

Loading

we can see there is a xss in the latest version.

---

IssueHunt Summary

amedora has been rewarded.

Backers (Total: $40.00)

• boostio ($40.00)

Submitted pull Requests

• #3028 Fix 3007

---

Tips

• Checkout the Issuehunt explorer to discover more funded issues.
• Need some help from other developers? Add your repositories on IssueHunt to raise funds.

---

IssueHunt has been backed by the following sponsors. Become a sponsor

[ZeroX-DG]

Good catch! I'll check it when I get home.

[eg-h-ashina]

https://nvd.nist.gov/vuln/detail/CVE-2019-12184

[IssueHuntBot]

@BoostIO has funded $40.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[amedora]

@Flexo013, could you close this? (resolved by #3028)

[Flexo013]

Thanks for the ping @amedora!

[issuehunt-oss]

@Rokt33r has rewarded $36.00 to @amedora. See it on IssueHunt

• 💰 Total deposit: $40.00
• 🎉 Repository reward(0%): $0.00
• 🔧 Service fee(10%): $4.00