From da73d4f784d40cd0abf01d140a1304a345a18e12 Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Wed, 23 Oct 2024 19:42:54 +0200
Subject: [PATCH] web/admin: add strict dompurify config for diagram (#11783)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 web/src/common/purify.ts    | 4 ++++
 web/src/elements/Diagram.ts | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/web/src/common/purify.ts b/web/src/common/purify.ts
index 772ee41534..78fcb61b5d 100644
--- a/web/src/common/purify.ts
+++ b/web/src/common/purify.ts
@@ -6,6 +6,10 @@ import { TemplateResult, html } from "lit";
 import { unsafeHTML } from "lit/directives/unsafe-html.js";
 import { until } from "lit/directives/until.js";
 
+export const DOM_PURIFY_STRICT: DOMPurify.Config = {
+    ALLOWED_TAGS: ["#text"],
+};
+
 export function purify(input: TemplateResult): TemplateResult {
     return html`${until(
         (async () => {
diff --git a/web/src/elements/Diagram.ts b/web/src/elements/Diagram.ts
index 41028b96b3..b8c79de3b5 100644
--- a/web/src/elements/Diagram.ts
+++ b/web/src/elements/Diagram.ts
@@ -1,4 +1,5 @@
 import { EVENT_REFRESH, EVENT_THEME_CHANGE } from "@goauthentik/common/constants";
+import { DOM_PURIFY_STRICT } from "@goauthentik/common/purify";
 import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/EmptyState";
 import mermaid, { MermaidConfig } from "mermaid";
@@ -47,6 +48,8 @@ export class Diagram extends AKElement {
                 curve: "linear",
             },
             htmlLabels: false,
+            securityLevel: "strict",
+            dompurifyConfig: DOM_PURIFY_STRICT,
         };
         mermaid.initialize(this.config);
     }