Various Mermaid improvements #18776

silverwind · 2022-02-15T19:29:30Z

Render into iframe for improved security
Use built-in dark theme instead of color inversion
Remove flexbox attributes, resulting in more consistent size rendering
Update API usage and update to latest version
Tested in Firefox, Chrome, Safari

Before:

After:

- Render into iframe for improved security - Use built-in dark theme instead of color inversion - Remove flexbox attributes, resulting in more consistent size rendering - Update API usage and update to latest version

silverwind · 2022-02-15T19:30:23Z

Labeling for backport because of the security aspect and it's a nice improvement in the rendering as well.

silverwind · 2022-02-15T22:05:11Z

There is one more improvement to do: mermaid.init renders into the DOM until the JS picks it out and puts it into the <iframe>. Need to find a solution that does not go via DOM like that. Putting to draft until then.

Gusted · 2022-02-15T22:14:25Z

There is one more improvement to do: mermaid.init renders into the DOM until the JS picks it out and puts it into the <iframe>. Need to find a solution that does not go via DOM like that. Putting to draft until then.

Would it be possible to create the <iframe> beforehand and create the necessary SVG already and then pass that as "node" into the init function, the only thing you would need to do afterwards is to set the correct height style, but that should avoid to use the parent document instead of the iframe document.

silverwind · 2022-02-16T00:23:02Z

Would it be possible to create the <iframe> beforehand and create the necessary SVG already and then pass that as "node" into the init function, the only thing you would need to do afterwards is to set the correct height style, but that should avoid to use the parent document instead of the iframe document.

Exactly my thoughts, fixed it. With the new method, I needed to parse the height from the SVG string, which is a bit clumsy, but should be faster than parsing the whole thing again using a DOMParser or similar.

Of note there is one tidbit to mermaidAPI.render, one is instructed to bind JS events via second argument bindFunctions provided in the callback, but we can't do that without loading the whole library into each iframe. I don't think we'd actually need this feature thought as it is disabled in strict security mode anyways, and there is no way for the user to input JS code anways.

lunny · 2022-02-16T03:28:14Z

make L-G-T-M work.

lunny · 2022-02-16T03:28:54Z

Please send backport

* Various Mermaid improvments - Render into iframe for improved security - Use built-in dark theme instead of color inversion - Remove flexbox attributes, resulting in more consistent size rendering - Update API usage and update to latest version * restart ci * misc tweaks * remove unneccesary declaration * make it work without allow-same-origin, add loading=lazy * remove loading attribute, does not seem to work * rename variable * skip roundtrip to DOM for rendering * don't guess chart height * update comment to make it clear it's intentional * tweak * replace deprecated 'scrolling' property * remove unused css file Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

* giteaofficial/main: Various Mermaid improvements (go-gitea#18776) [skip ci] Updated translations via Crowdin Fix display time of milestones (go-gitea#18753)

* Various Mermaid improvments - Render into iframe for improved security - Use built-in dark theme instead of color inversion - Remove flexbox attributes, resulting in more consistent size rendering - Update API usage and update to latest version * restart ci * misc tweaks * remove unneccesary declaration * make it work without allow-same-origin, add loading=lazy * remove loading attribute, does not seem to work * rename variable * skip roundtrip to DOM for rendering * don't guess chart height * update comment to make it clear it's intentional * tweak * replace deprecated 'scrolling' property * remove unused css file Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

* 'main' of https://github.com/go-gitea/gitea: (87 commits) Fix template bug of LFS lock (go-gitea#18784) Various Mermaid improvements (go-gitea#18776) [skip ci] Updated translations via Crowdin Fix display time of milestones (go-gitea#18753) [skip ci] Updated translations via Crowdin Prevent dangling GetAttribute calls (go-gitea#18754) Add example to render html files (go-gitea#18736) Fix a broken link in `commits_list_small.tmpl` (go-gitea#18763) Fix broken cancel button link on patch page (go-gitea#18718) Ignore the migrate if u2f_registration is not exist (go-gitea#18760) [skip ci] Updated translations via Crowdin Increase the size of the webauthn_credential credential_id field (go-gitea#18739) Fix isempty detection of git repository (go-gitea#18746) [skip ci] Updated translations via Crowdin Send mail to issue/pr assignee/reviewer also when OnMention is set (go-gitea#18707) Reduce CI go module downloads, add make targets (go-gitea#18708) Add number in queue status to monitor page (go-gitea#18712) Fix source code line highlighting (go-gitea#18729) Fix forked repositories missed tags (go-gitea#18719) [skip ci] Updated translations via Crowdin ...

* Various Mermaid improvments - Render into iframe for improved security - Use built-in dark theme instead of color inversion - Remove flexbox attributes, resulting in more consistent size rendering - Update API usage and update to latest version * restart ci * misc tweaks * remove unneccesary declaration * make it work without allow-same-origin, add loading=lazy * remove loading attribute, does not seem to work * rename variable * skip roundtrip to DOM for rendering * don't guess chart height * update comment to make it clear it's intentional * tweak * replace deprecated 'scrolling' property * remove unused css file Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

Various Mermaid improvments

f501325

- Render into iframe for improved security - Use built-in dark theme instead of color inversion - Remove flexbox attributes, resulting in more consistent size rendering - Update API usage and update to latest version

silverwind added backport/v1.16 type/enhancement An improvement of existing functionality topic/ui Change the appearance of the Gitea UI labels Feb 15, 2022

silverwind modified the milestone: 1.16.2 Feb 15, 2022

GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Feb 15, 2022

silverwind force-pushed the mermaid-improve branch from fdbed05 to f501325 Compare February 15, 2022 19:36

silverwind added 4 commits February 15, 2022 20:43

restart ci

34d5107

misc tweaks

aae3daf

remove unneccesary declaration

1953abe

make it work without allow-same-origin, add loading=lazy

eb9b65f

silverwind changed the title ~~Various Mermaid improvments~~ Various Mermaid improvements Feb 15, 2022

silverwind added 2 commits February 15, 2022 22:19

remove loading attribute, does not seem to work

ab99264

rename variable

f0874f3

zeripath approved these changes Feb 15, 2022

View reviewed changes

GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Feb 15, 2022

Gusted approved these changes Feb 15, 2022

View reviewed changes

GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Feb 15, 2022

silverwind marked this pull request as draft February 15, 2022 22:05

skip roundtrip to DOM for rendering

5512f02

silverwind marked this pull request as ready for review February 16, 2022 00:17

don't guess chart height

a49b789

silverwind requested a review from Gusted February 16, 2022 00:40

silverwind and others added 5 commits February 16, 2022 01:43

update comment to make it clear it's intentional

b563a7a

tweak

41141cc

replace deprecated 'scrolling' property

ced1c13

Merge branch 'main' into mermaid-improve

ba6ee17

remove unused css file

6b17046

silverwind added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Feb 16, 2022

lunny merged commit 616146f into go-gitea:main Feb 16, 2022

silverwind mentioned this pull request Feb 16, 2022

Various Mermaid improvements (#18776) #18780

Merged

silverwind deleted the mermaid-improve branch February 16, 2022 09:52

zeripath added the backport/done All backports for this PR have been created label Mar 9, 2022

wxiaoguang added this to the 1.17.0 milestone Mar 29, 2022

go-gitea locked and limited conversation to collaborators Apr 28, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Various Mermaid improvements #18776

Various Mermaid improvements #18776

silverwind commented Feb 15, 2022 •

edited

Loading

silverwind commented Feb 15, 2022

silverwind commented Feb 15, 2022 •

edited

Loading

Gusted commented Feb 15, 2022

silverwind commented Feb 16, 2022 •

edited

Loading

lunny commented Feb 16, 2022

lunny commented Feb 16, 2022

Various Mermaid improvements #18776

Various Mermaid improvements #18776

Conversation

silverwind commented Feb 15, 2022 • edited Loading

silverwind commented Feb 15, 2022

silverwind commented Feb 15, 2022 • edited Loading

Gusted commented Feb 15, 2022

silverwind commented Feb 16, 2022 • edited Loading

lunny commented Feb 16, 2022

lunny commented Feb 16, 2022

silverwind commented Feb 15, 2022 •

edited

Loading

silverwind commented Feb 15, 2022 •

edited

Loading

silverwind commented Feb 16, 2022 •

edited

Loading