fix: stop dompurify from breaking draw.io diagrams (#7888)

tribut · web-flow · commit b950e065e9b7 · 2026-01-06T16:56:35.000-05:00
Newer versions of dompurify strip <foreignobject> tags if not explicitly allowed. See cure53/DOMPurify#1040 Fixes #7744
diff --git a/client/components/editor/editor-asciidoc.vue b/client/components/editor/editor-asciidoc.vue
@@ -228,7 +228,8 @@ export default {
       })
 
       this.previewHTML = DOMPurify.sanitize($.html(), {
-        ADD_TAGS: ['foreignObject']
+        ADD_TAGS: ['foreignObject'],
+        HTML_INTEGRATION_POINTS: { foreignobject: true }
       })
     },
     /**
diff --git a/client/components/editor/editor-markdown.vue b/client/components/editor/editor-markdown.vue
@@ -454,7 +454,8 @@ export default {
       // this.$store.set('editor/content', newContent)
       this.processMarkers(this.cm.firstLine(), this.cm.lastLine())
       this.previewHTML = DOMPurify.sanitize(md.render(newContent), {
-        ADD_TAGS: ['foreignObject']
+        ADD_TAGS: ['foreignObject'],
+        HTML_INTEGRATION_POINTS: { foreignobject: true }
       })
       this.$nextTick(() => {
         tabsetHelper.format()
diff --git a/server/modules/rendering/html-security/renderer.js b/server/modules/rendering/html-security/renderer.js
@@ -34,7 +34,8 @@ module.exports = {
 
       input = DOMPurify.sanitize(input, {
         ADD_ATTR: allowedAttrs,
-        ADD_TAGS: allowedTags
+        ADD_TAGS: allowedTags,
+        HTML_INTEGRATION_POINTS: { foreignobject: true }
       })
     }
     return input

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,8 @@ module.exports = {`
`34`	`34`
`35`	`35`	`input = DOMPurify.sanitize(input, {`
`36`	`36`	`ADD_ATTR: allowedAttrs,`
`37`		`- ADD_TAGS: allowedTags`
	`37`	`+ ADD_TAGS: allowedTags,`
	`38`	`+ HTML_INTEGRATION_POINTS: { foreignobject: true }`
`38`	`39`	`})`
`39`	`40`	`}`
`40`	`41`	`return input`