🔒️ Requirements

Feature: Extras > Mathematical Typesetting enabled.

User interaction: Access vulnerable page || diagram and wheel click on a link.

📝 Description

The Mathematical Typesetting feature allows to use inline content such as AsciiMath or LaTeX. Using it allows you to create a tag via \href macro. By default, it allows you to use dangerous wrappers like javascript: which permits on click XSS. (wheel click in draw.io context)

🕵️‍♂️ Proof of Concept

Step 1: Enable Mathematical Typesetting.

Step 2: Copy | Past $$\href{javascript:alert()}{CLICK}$$ in the diagram.

Step 3: Wheel click on the link.

Check Requierements section if it’s not working.

🛠️ Fix suggestion

Use ui/safe extension which prevents several security risks such as javascript wrapper in the href attribute.