Release docs

mermaid-js · Jul 21, 2019 · 5dd3921 · 5dd3921
1 parent 9c150ee
commit 5dd3921
Show file tree

Hide file tree

Showing 7 changed files with 184 additions and 120 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/README.md b/README.md
@@ -4,6 +4,23 @@
 
 # mermaid
 
+## Special note regarding version 8.2
+
+In version 8.2 a security improvement was introduced. A securityLevel configuration was introduced wich sets the level of trust to be used on the parsed diagrams.
+
+* **true**: (default) tags in text are encoded, click functionality is disabled
+* false: tags in text are allowed, click functionality is enabledClosed issues: 
+
+⚠️ **Note** : This changes the default behaviour of mermaid so that after upgrade to 8.2, if the securityLevel is not configured, tags in flowcharts are encoded as tags and clicking is prohibited.
+
+If your application is taking resposibility for the diagram source security you can set the securityLevel accordingly. By doing this clicks and tags are again allowed.
+
+```javascript
+    mermaidAPI.initialize({
+        securityLevel: 'loose'
+    });
+```
+
 **🖖 Keep a steady pulse: mermaid needs more Collaborators [#866](https://github.com/knsv/mermaid/issues/866)**
 
 ![banner](./img/header.png)

diff --git a/dist/xssi.html b/dist/xssi.html
@@ -13,13 +13,7 @@
 </head>
 <body>
   <div class="mermaid">
-    gantt
-      title Exclusive end dates <strong>If bold then xss</strong> (Manual date should end on 3d)
-      dateFormat YYYY-MM-DD
-      axisFormat %d
-      section Section1
-       2 Days: 1, 2019-01-01,2d
-       Manual Date: 2, 2019-01-01,2019-01-03
+    info
   </div>
   <img src=xss.png />
     <div class="mermaid">
@@ -38,13 +32,14 @@
   </div>
   <div class="mermaid">
 graph TD
-A[Christmas] -->|Get money| B(Go shopping)
-B --> C{Let me think}
+A[Click on] -->|Get happines| BBBB(Clickable)
+BBBB --> C{Let me think}
 C -->|One| D[Laptop]
 C -->|Two| E[iPhone]
 C -->|Three| F[Car]
 click A "index.html#link-clicked" "link test"
-click B testClick "click test"
+click BBBB testClick "click test"
+click C "javascript:alert" "link test"
 classDef someclass fill:#f96;
 class A someclass;
   </div>
@@ -101,6 +96,7 @@
       gantt: { axisFormat: '%m/%d/%Y' },
       sequence: { actorMargin: 50 },
       // sequenceDiagram: { actorMargin: 300 } // deprecated
+      securityLevel:'loose'
     });
   </script>
   <script>

diff --git a/docs/README.md b/docs/README.md
@@ -4,6 +4,23 @@
 
 # mermaid
 
+## Special note regarding version 8.2
+
+In version 8.2 a security improvement was introduced. A securityLevel configuration was introduced wich sets the level of trust to be used on the parsed diagrams.
+
+* **true**: (default) tags in text are encoded, click functionality is disabled
+* false: tags in text are allowed, click functionality is enabledClosed issues: 
+
+⚠️ **Note** : This changes the default behaviour of mermaid so that after upgrade to 8.2, if the securityLevel is not configured, tags in flowcharts are encoded as tags and clicking is prohibited.
+
+If your application is taking resposibility for the diagram source security you can set the securityLevel accordingly. By doing this clicks and tags are again allowed.
+
+```javascript
+    mermaidAPI.initialize({
+        securityLevel: 'loose'
+    });
+```
+
 **🖖 Keep a steady pulse: mermaid needs more Collaborators [#866](https://github.com/knsv/mermaid/issues/866)**
 
 ![banner](./img/header.png)

diff --git a/docs/flowchart.md b/docs/flowchart.md
@@ -111,6 +111,19 @@ graph LR
     id1{This is the text in the box}
 ```
 
+### 1
+
+```mermaid
+graph TD
+    A[/Christmas\]
+```
+### 2
+
+```mermaid
+graph TD
+    B[\Go shopping/]
+```
+
 ## Links between nodes
 
 Nodes can be connected with links/edges. It is possible to have different types of links or attach a text string to a link.

diff --git a/docs/usage.md b/docs/usage.md
@@ -55,6 +55,23 @@ Would end up like this:
 
 An id is also added to mermaid tags without id.
 
+### To enable click event and tags in nodes
+
+In version 8.2 a security improvement was introduced. A securityLevel configuration was introduced wich sets the level of trust to be used on the parsed diagrams.
+
+* **true**: (default) tags in text are encoded, click functionality is disabled
+* false: tags in text are allowed, click functionality is enabledClosed issues: 
+
+⚠️ **Note** : This changes the default behaviour of mermaid so that after upgrade to 8.2, if the securityLevel is not configured, tags in flowcharts are encoded as tags and clicking is prohibited.
+
+If your application is taking resposibility for the diagram source security you can set the securityLevel accordingly. By doing this clicks and tags are again allowed.
+
+```javascript
+    mermaidAPI.initialize({
+        securityLevel: 'loose'
+    });
+```
+
 ### Simple full example:
 
 ```html

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "mermaid",
-  "version": "8.1.0",
+  "version": "8.2.1",
   "description": "Markdownish syntax for generating flowcharts, sequence diagrams, class diagrams, gantt charts and git graphs.",
   "main": "dist/mermaid.core.js",
   "keywords": [