Mermaid: Allow a whitelist of HTML tags for formatting
Problem to solve
In https://gitlab.com/gitlab-org/gitlab-ce/issues/54588#note_179827473, @inteist suggests whitelisting some HTML tags so that labels in Mermaid charts can be nicely formatted. These include tags like br
, b
, center
, etc. that pose no security risk.
Intended users
Anyone who likes charts.
Proposal
This proposal will probably involve making an upstream contribution to Mermaid. However, the author has indicated that they no longer have the time to maintain that project, and so our solution may require forking the project and shipping GitLab with our fork. Further, the project has much technical debt and flaws in code and documentation. At this moment, Mermaid's test suite doesn't even pass.
Security
We need to make sure that whitelisted tags don't create any XSS vulnerabilities. In particular, they must not make any requests (like <img>
tags) or trigger any events (via on*
handlers).