Sanitizes the SVG produced by mermaid before it is injected via dangerouslySetInnerHTML.
Mermaid renders node labels as HTML inside SVG <foreignObject>, which DOMPurify strips by default. We allow
foreignObject and mark it as an HTML integration point so the labels survive while still being sanitized.
DOMPurify removes scripts, event handlers and javascript: URLs, but not resource loading, so the hooks below
additionally strip any attribute or CSS reference (url(...), @import, image-set(...)) that would fetch a
remote resource (an image-based exfiltration vector), while keeping inline data: resources, internal
url(#...) references and <a> links.
Mermaid additionally runs with securityLevel: 'strict'.
Sanitizes the SVG produced by mermaid before it is injected via
dangerouslySetInnerHTML.Mermaid renders node labels as HTML inside SVG
<foreignObject>, which DOMPurify strips by default. We allowforeignObjectand mark it as an HTML integration point so the labels survive while still being sanitized. DOMPurify removes scripts, event handlers andjavascript:URLs, but not resource loading, so the hooks below additionally strip any attribute or CSS reference (url(...),@import,image-set(...)) that would fetch a remote resource (an image-based exfiltration vector), while keeping inlinedata:resources, internalurl(#...)references and<a>links. Mermaid additionally runs withsecurityLevel: 'strict'.