From b141f24068e9c5f6979706383a29db6380ffdf31 Mon Sep 17 00:00:00 2001 From: Ashish Jain Date: Thu, 10 Feb 2022 17:29:09 +0100 Subject: [PATCH] docs: added info for 'sandbox' securtity level --- docs/usage.md | 36 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/docs/usage.md b/docs/usage.md index 3b9138d8ff..3a6ff2697d 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -50,7 +50,8 @@ The easiest way to integrate mermaid on a web page requires three elements: 2. The `mermaidAPI` call, in a separate `script` tag. Example: ```html - + ``` 3. A graph definition, inside `
` tags labeled `class=mermaid`. Example: @@ -82,7 +83,8 @@ locate the graph definitions inside the `div` tags with `class="mermaid"` and re B-->D(fa:fa-spinner);
- + ``` @@ -105,17 +107,19 @@ Mermaid can load multiple diagrams, in the same page. | Parameter | Description | Type | Required | Values | | ------------- | --------------------------------- | ------ | -------- | ------------------------- | -| securityLevel | Level of trust for parsed diagram | String | Required | Strict, Loose, antiscript | +| securityLevel | Level of trust for parsed diagram | String | Required | Strict, Loose, antiscript , sandbox| Values: - **strict**: (**default**) tags in text are encoded, click functionality is disabled - **loose**: tags in text are allowed, click functionality is enabled - **antiscript**: html tags in text are allowed, (only script element is removed), click functionality is enabled +- **sandbox**: With this security level all rendering takes place in a sandboxed iframe. This prevent any javascript running in the context. This may hinder interactive functionality of the diagram like scripts, popups in sequence diagram or links to other tabs/targets etc. ```note This changes the default behaviour of mermaid so that after upgrade to 8.2,unless the `securityLevel` is not changed, tags in flowcharts are encoded as tags and clicking is disabled. +**sandbox** security level is still in the beta version. ``` **If you are taking responsibility for the diagram source security you can set the `securityLevel` to a value of your choosing . This allows clicks and tags are allowed.** @@ -203,20 +207,10 @@ The example below show an outline of how this could be used. The example just lo ``` @@ -345,13 +339,7 @@ on what kind of integration you use. ```html ```