XSS in Mermaid

All versions of mermaid are vulnerable to Cross-Site Scripting. If malicious input such as A["<img src=invalid onerror=alert('XSS')>"] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.

Note 1: there is no fix available

Note 2: there is no CVE assigned to this issue right now.

• https://www.npmjs.com/advisories/751
• https://github.com/knsv/mermaid/issues/869
• https://github.com/knsv/mermaid/issues/847