Theia API Documentation v1.73.0
    Preparing search index...
    • Sanitizes the SVG produced by mermaid before it is injected via dangerouslySetInnerHTML.

      Mermaid renders node labels as HTML inside SVG <foreignObject>, which DOMPurify strips by default. We allow foreignObject and mark it as an HTML integration point so the labels survive while still being sanitized. DOMPurify removes scripts, event handlers and javascript: URLs, but not resource loading, so the hooks below additionally strip any attribute or CSS reference (url(...), @import, image-set(...)) that would fetch a remote resource (an image-based exfiltration vector), while keeping inline data: resources, internal url(#...) references and <a> links. Mermaid additionally runs with securityLevel: 'strict'.

      Parameters

      • svg: string

      Returns string