Merge branch 'sh-update-mermaid' into 'master'

Update Mermaid to v8.2.3

Closes #64601

See merge request gitlab-org/gitlab-ce!30985

app/assets/javascripts/behaviors/markdown/render_mermaid.js

@@ -33,6 +33,7 @@ export default function renderMermaid($els) {
         flowchart: {
           htmlLabels: false,
         },
+        securityLevel: 'strict',
       });
 
       $els.each((i, el) => {

changelogs/unreleased/sh-update-mermaid.yml

@@ -0,0 +1,5 @@
+---
+title: Update Mermaid to v8.2.3
+merge_request: 30985
+author:
+type: fixed

package.json

@@ -96,7 +96,7 @@
     "jszip-utils": "^0.0.2",
     "katex": "^0.10.0",
     "marked": "^0.3.12",
-    "mermaid": "^8.1.0",
+    "mermaid": "^8.2.3",
     "monaco-editor": "^0.15.6",
     "monaco-editor-webpack-plugin": "^1.7.0",
     "mousetrap": "^1.4.6",

spec/features/issues/user_comments_on_issue_spec.rb

@@ -41,16 +41,17 @@ describe "User comments on issue", :js do
       expect(page.find('pre code').text).to eq code_block_content
     end
 
-    it "does not render html content in mermaid" do
+    it "renders escaped HTML content in Mermaid" do
       html_content = "<img onerror=location=`javascript\\u003aalert\\u0028document.domain\\u0029` src=x>"
       mermaid_content = "graph LR\n  B-->D(#{html_content});"
+      escaped_content = CGI.escapeHTML(html_content).gsub('=', "&equals;")
       comment = "```mermaid\n#{mermaid_content}\n```"
 
       add_note(comment)
 
       wait_for_requests
 
-      expect(page.find('svg.mermaid')).to have_content html_content
+      expect(page.find('svg.mermaid')).to have_content escaped_content
     end
   end