Allowlist Wiki and README.md for Mermaid limits
Summary
Current limitations on Mermaid rendering, 2K total characters per page OR 50 blocks, whichever happens first, helps in preventing a DoS attack on all pages where we can render GFM.
This is non-ideal for pages like Wikis where
- There is no user-generated content.
- The mermaid diagrams are better formatted and can contain
css
styles, which quickly fills up the 2K character quota. (See comment !60490 (comment 575468577))
Security concerns
Since editing and creating a Wiki or Readme.md
file requires a Developer or higher role, we can trust the actor to not abuse the uplifted limits.
Proposal
Maintain an allowlist of all the pages where we can trust the actor, and uplift all limits on the Mermaid diagram blocks.
MR where this got originated: !60490 (closed)
cc: @donaldcook @cmaxim
Also looping in @disenchant
Edited by Donald Cook