fix(mindmap): correctly render ampersand (&)

[nour0205]

📑 Summary

Fixes an issue where ampersands (&) were not rendering properly in Mindmap nodes. This was caused by using .text(description), which escapes special characters, instead of .html(description).

Resolves #6308

📏 Design Decisions

Issue: When rendering text inside Mindmap nodes, .text() was escaping special characters like &, causing them to display incorrectly.
Solution: Updated createText.ts to use .html(description) instead of .text(description), ensuring proper rendering.
Impact: This fix allows ampersands (&) and other special HTML characters to be displayed correctly without breaking existing functionality.

📋 Tasks

Make sure you

• [ x] 📖 have read the contribution guidelines
• [x ] 💻 have added necessary unit/e2e tests.
• [ x] 📓 have added documentation. Make sure MERMAID_RELEASE_VERSION is used for all new features.
• [x ] 🦋 If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 79fa79a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[netlify]

✅ Deploy Preview for mermaid-js ready!

Name	Link
🔨 Latest commit	79fa79a
🔍 Latest deploy log	https://app.netlify.com/sites/mermaid-js/deploys/67bc84eef2e13c0008f0a1e4
😎 Deploy Preview	https://deploy-preview-6315--mermaid-js.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[pkg-pr-new]

Open in Stackblitz

npm i https://pkg.pr.new/mermaid-js/mermaid@6315

npm i https://pkg.pr.new/mermaid-js/mermaid/@mermaid-js/mermaid-zenuml@6315

npm i https://pkg.pr.new/mermaid-js/mermaid/@mermaid-js/layout-elk@6315

npm i https://pkg.pr.new/mermaid-js/mermaid/@mermaid-js/parser@6315

commit: 79fa79a

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 4 lines in your changes missing coverage. Please review.

Project coverage is 3.89%. Comparing base (3be59a7) to head (79fa79a).

Files with missing lines	Patch %	Lines
packages/mermaid/src/diagrams/mindmap/mindmapDb.ts	0.00%	4 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           develop   #6315   +/-   ##
=======================================
  Coverage     3.89%   3.89%           
=======================================
  Files          398     397    -1     
  Lines        41966   41958    -8     
  Branches       637     637           
=======================================
  Hits          1634    1634           
+ Misses       40332   40324    -8     

Flag	Coverage Δ
unit	3.89% <0.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
packages/mermaid/src/diagrams/mindmap/mindmapDb.ts	0.00% <0.00%> (ø)

... and 1 file with indirect coverage changes

[argos-ci]

The latest updates on your projects. Learn more about Argos notifications ↗︎

Build	Status	Details	Updated (UTC)
default (Inspect)	✅ No changes detected	-	Feb 24, 2025, 2:49 PM

[hanyuhanyuhanyu]

I also investigated this issue, and this code seems to work.
But the suggested change is made to commonly used function createText, it will affect not only mindmap diagram but also architecture and class, as they depend on it. Moreover, it is difficult to predict whether using html instead of text could introduce vulnerabilities.

In my opinion, the following code has less impact on other diagrams and less likely to introduce vulnerability.

Suggestion

Change src/diagrams/mindmap/mindmapDb.ts#addNode as follows to replace each escaped html special characters.

  const node = {
    id: cnt++,
    nodeId: sanitizeText(id, conf),
    level,
    descr: sanitizeText(descr, conf)
+     .replace(/&/g, '&')
+     .replace(/>/g, '>') // Those characters cannot be rendered as expected too!
+     .replace(/&lt;/g, '<'),
    type,
    children: [],
    width: conf.mindmap?.maxNodeWidth ?? defaultConfig.mindmap.maxNodeWidth,
    padding,
  } satisfies MindmapNode;

This code is part of the process that parses raw mermaid mindmap code. HTML special characters are escaped here, and they are passed to D3.Selection.text, so the rendered text remains escaped.

This approach is also used in sequenceDb.ts#addLinks as follows.

      let sanitizedText = sanitizeText(text.text, getConfig());
      sanitizedText = sanitizedText.replace(/=/g, '=');
      sanitizedText = sanitizedText.replace(/&/g, '&');

It fixes the problem in my environment, at least.

(before)

I hope this helps.