From 6f800be33be08d543f27b1fc995b23a4fdeecd01 Mon Sep 17 00:00:00 2001
From: Knut Sveidqvist <knut.sveidqvist@ipiccolo.com>
Date: Thu, 23 Dec 2021 11:03:07 +0100
Subject: [PATCH] Fix for issue with links from actors

---
 cypress/platform/xss15.html        |  4 +--
 src/diagrams/common/common.js      | 34 ++++++++++++++++-----
 src/diagrams/common/common.spec.js | 47 +++++++++++++++++++++++++++++-
 3 files changed, 74 insertions(+), 11 deletions(-)

diff --git a/cypress/platform/xss15.html b/cypress/platform/xss15.html
index a2d882dffe..94506def5f 100644
--- a/cypress/platform/xss15.html
+++ b/cypress/platform/xss15.html
@@ -70,7 +70,7 @@
         // fontFamily: 'courier',
         fontSize: 18,
         curve: 'basis',
-        securityLevel: 'strict  ',
+        securityLevel: 'strict',
         startOnLoad: false,
         secure: ['secure', 'securityLevel', 'startOnLoad', 'maxTextSize'],
         // themeVariables: {relationLabelColor: 'red'}
@@ -90,7 +90,7 @@
       var diagram = `sequenceDiagram
     participant John
     links John: {"XSS": "javas`;
-diagram += 'cript:alert(window.opener.document.domain)"}';
+diagram += `cript:alert('AudioParam')"}`;
 
 //   var diagram = "stateDiagram-v2\n";
 //  diagram += "<img/src='1'/onerror"
diff --git a/src/diagrams/common/common.js b/src/diagrams/common/common.js
index e2de952d7b..6ed40871a6 100644
--- a/src/diagrams/common/common.js
+++ b/src/diagrams/common/common.js
@@ -13,6 +13,24 @@ export const getRows = (s) => {
   return str.split('#br#');
 };
 
+export const removeEscapes = (text) => {
+  let newStr = text.replace(/\\u[\dA-F]{4}/gi, function (match) {
+    return String.fromCharCode(parseInt(match.replace(/\\u/g, ''), 16));
+  });
+
+  console.log(newStr);
+
+  newStr = newStr.replace(/\\x([0-9a-f]{2})/gi, (_, c) => String.fromCharCode(parseInt(c, 16)));
+  newStr = newStr.replace(/\\[\d\d\d]{3}/gi, function (match) {
+    return String.fromCharCode(parseInt(match.replace(/\\/g, ''), 8));
+  });
+  newStr = newStr.replace(/\\[\d\d\d]{2}/gi, function (match) {
+    return String.fromCharCode(parseInt(match.replace(/\\/g, ''), 8));
+  });
+
+  return newStr;
+};
+
 /**
  * Removes script tags from a text
  *
@@ -40,13 +58,12 @@ export const removeScript = (txt) => {
       break;
     }
   }
-
-  rs = rs.replace(/script>/gi, '#');
-  rs = rs.replace(/script>/gi, '#');
-  rs = rs.replace(/javascript:/gi, '#');
-  rs = rs.replace(/onerror=/gi, 'onerror:');
-  rs = rs.replace(/<iframe/gi, '');
-  return rs;
+  let decodedText = removeEscapes(rs);
+  decodedText = decodedText.replace(/script>/gi, '#');
+  decodedText = decodedText.replace(/javascript:/gi, '#');
+  decodedText = decodedText.replace(/onerror=/gi, 'onerror:');
+  decodedText = decodedText.replace(/<iframe/gi, '');
+  return decodedText;
 };
 
 const sanitizeMore = (text, config) => {
@@ -62,7 +79,7 @@ const sanitizeMore = (text, config) => {
   if (htmlLabels) {
     const level = config.securityLevel;
 
-    if (level === 'antiscript') {
+    if (level === 'antiscript' || level === 'strict') {
       txt = removeScript(txt);
     } else if (level !== 'loose') {
       // eslint-disable-line
@@ -171,4 +188,5 @@ export default {
   removeScript,
   getUrl,
   evaluate,
+  removeEscapes,
 };
diff --git a/src/diagrams/common/common.spec.js b/src/diagrams/common/common.spec.js
index 6b7fe52357..e71400479d 100644
--- a/src/diagrams/common/common.spec.js
+++ b/src/diagrams/common/common.spec.js
@@ -1,4 +1,4 @@
-import { removeScript } from './common';
+import { removeScript, removeEscapes } from './common';
 
 describe('when securityLevel is antiscript, all script must be removed', function () {
   it('should remove all script block, script inline.', function () {
@@ -24,3 +24,48 @@ describe('when securityLevel is antiscript, all script must be removed', functio
     expect(isEqual).toEqual(true);
   });
 });
+
+describe('remove escape code in text', function () {
+  it('should remove a unicode colon', function () {
+    const labelString = '\\u003A';
+
+    const result = removeEscapes(labelString);
+    expect(result).toEqual(':');
+  });
+  it('should remove a hex colon', function () {
+    const labelString = '\\x3A';
+
+    const result = removeEscapes(labelString);
+    expect(result).toEqual(':');
+  });
+  it('should remove a oct colon', function () {
+    const labelString = '\\72';
+
+    const result = removeEscapes(labelString);
+    expect(result).toEqual(':');
+  });
+  it('should remove a oct colon 3 numbers', function () {
+    const labelString = '\\072';
+
+    const result = removeEscapes(labelString);
+    expect(result).toEqual(':');
+  });
+  it('should remove multiple colons 3 numbers', function () {
+    const labelString = '\\072\\072\\72';
+
+    const result = removeEscapes(labelString);
+    expect(result).toEqual(':::');
+  });
+  it('should handle greater and smaller then', function () {
+    const labelString = '\\74\\076';
+
+    const result = removeEscapes(labelString);
+    expect(result).toEqual('<>');
+  });
+  it('should handle letters', function () {
+    const labelString = '\\u0073\\143ri\\x70\\u0074\\x3A';
+
+    const result = removeEscapes(labelString);
+    expect(result).toEqual('script:');
+  });
+});