fix: mermaid graph (#29811)

Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com>
Co-authored-by: Joel <iamjoel007@gmail.com>

web/app/components/base/mermaid/utils.spec.ts

@@ -1,4 +1,4 @@
-import { cleanUpSvgCode } from './utils'
+import { cleanUpSvgCode, prepareMermaidCode, sanitizeMermaidCode } from './utils'
 
 describe('cleanUpSvgCode', () => {
   it('replaces old-style <br> tags with the new style', () => {
@@ -6,3 +6,54 @@ describe('cleanUpSvgCode', () => {
     expect(result).toEqual('<br/>test<br/>')
   })
 })
+
+describe('sanitizeMermaidCode', () => {
+  it('removes click directives to prevent link/callback injection', () => {
+    const unsafeProtocol = ['java', 'script:'].join('')
+    const input = [
+      'gantt',
+      'title Demo',
+      'section S1',
+      'Task 1 :a1, 2020-01-01, 1d',
+      `click A href "${unsafeProtocol}alert(location.href)"`,
+      'click B call callback()',
+    ].join('\n')
+
+    const result = sanitizeMermaidCode(input)
+
+    expect(result).toContain('gantt')
+    expect(result).toContain('Task 1')
+    expect(result).not.toContain('click A')
+    expect(result).not.toContain('click B')
+    expect(result).not.toContain(unsafeProtocol)
+  })
+
+  it('removes Mermaid init directives to prevent config overrides', () => {
+    const input = [
+      '%%{init: {"securityLevel":"loose"}}%%',
+      'graph TD',
+      'A-->B',
+    ].join('\n')
+
+    const result = sanitizeMermaidCode(input)
+
+    expect(result).toEqual(['graph TD', 'A-->B'].join('\n'))
+  })
+})
+
+describe('prepareMermaidCode', () => {
+  it('sanitizes click directives in flowcharts', () => {
+    const unsafeProtocol = ['java', 'script:'].join('')
+    const input = [
+      'graph TD',
+      'A[Click]-->B',
+      `click A href "${unsafeProtocol}alert(1)"`,
+    ].join('\n')
+
+    const result = prepareMermaidCode(input, 'classic')
+
+    expect(result).toContain('graph TD')
+    expect(result).not.toContain('click ')
+    expect(result).not.toContain(unsafeProtocol)
+  })
+})