Mermaid renders user-supplied diagram text into HTML/SVG. Security depends on rendering mode (securityLevel) and preventing untrusted content from loosening defaults.
securityLevel at strict (or sandbox for untrusted content)securityLevel: "strict" as baseline (default) for production docssandbox to isolate rendering in iframe contextloose/antiscript unless you fully trust diagram input and understand XSS trade-offssecure config option to prevent runtime override of security-critical settingssecurityLevel schema docs: https://mermaid.js.org/config/schema-docs/config-properties-securitylevel.htmlsecure option): https://mermaid.js.org/config/setup/mermaid/interfaces/MermaidConfig.htmlAny questions?
Feel free to contact us. Find all contact information on our contact page.