Fix XSS in Mermaid Markdown rendering

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/332528

Changelog: security

app/assets/javascripts/behaviors/markdown/render_mermaid.js

@@ -66,6 +66,7 @@ export function initMermaid(mermaid) {
       useMaxWidth: true,
       htmlLabels: true,
     },
+    secure: ['secure', 'securityLevel', 'startOnLoad', 'maxTextSize', 'htmlLabels'],
     securityLevel: 'strict',
   });
 

spec/features/markdown/mermaid_spec.rb

@@ -260,8 +260,6 @@ RSpec.describe 'Mermaid rendering', :js do
 
     description *= 51
 
-    project = create(:project, :public)
-
     wiki_page = build(:wiki_page, { container: project, content: description })
     wiki_page.create message: 'mermaid test commit' # rubocop:disable Rails/SaveBang
     wiki_page = project.wiki.find_page(wiki_page.slug)
@@ -277,6 +275,27 @@ RSpec.describe 'Mermaid rendering', :js do
       expect(page).not_to have_selector('.js-lazy-render-mermaid-container')
     end
   end
+
+  it 'does not allow HTML injection' do
+    description = <<~MERMAID
+    ```mermaid
+    %%{init: {"flowchart": {"htmlLabels": "false"}} }%%
+    flowchart
+      A["<iframe></iframe>"]
+    ```
+    MERMAID
+
+    issue = create(:issue, project: project, description: description)
+
+    visit project_issue_path(project, issue)
+
+    wait_for_requests
+    wait_for_mermaid
+
+    page.within('.description') do
+      expect(page).not_to have_xpath("//iframe")
+    end
+  end
 end
 
 def wait_for_mermaid