Upgrade mermaid to prevent xss attack

Update mermaid to avoid xss surface area. The newer release
restricts script tags to be embedded in mermaid blocks.

app/assets/javascripts/behaviors/markdown/render_mermaid.js

@@ -33,6 +33,7 @@ export default function renderMermaid($els) {
         flowchart: {
           htmlLabels: false,
         },
+        securityLevel: 'strict',
       });
       $els.each((i, el) => {

changelogs/unreleased/security-xss-mermaid-12-1.yml

+---
+title: Upgrade mermaid to prevent XSS
+merge_request:
+author:
+type: security

package.json

@@ -96,7 +96,7 @@
     "jszip-utils": "^0.0.2",
     "katex": "^0.10.0",
     "marked": "^0.3.12",
-    "mermaid": "^8.1.0",
+    "mermaid": "^8.2.3",
     "monaco-editor": "^0.15.6",
     "monaco-editor-webpack-plugin": "^1.7.0",
     "mousetrap": "^1.4.6",
@@ -138,7 +138,7 @@
     "vue-virtual-scroll-list": "^1.3.1",
     "vuex": "^3.1.0",
     "webpack": "^4.29.0",
-    "webpack-bundle-analyzer": "^3.0.3",
+    "webpack-bundle-analyzer": "^3.3.2",
     "webpack-cli": "^3.2.1",
     "webpack-stats-plugin": "^0.2.1",
     "worker-loader": "^2.0.0",

spec/features/issues/user_comments_on_issue_spec.rb

@@ -41,16 +41,17 @@ describe "User comments on issue", :js do
       expect(page.find('pre code').text).to eq code_block_content
     end
-    it "does not render html content in mermaid" do
+    it "renders escaped HTML content in Mermaid" do
       html_content = "<img onerror=location=`javascript\\u003aalert\\u0028document.domain\\u0029` src=x>"
       mermaid_content = "graph LR\n  B-->D(#{html_content});"
+      escaped_content = CGI.escapeHTML(html_content).gsub('=', "&equals;")
       comment = "```mermaid\n#{mermaid_content}\n```"
       add_note(comment)
       wait_for_requests
-      expect(page.find('svg.mermaid')).to have_content html_content
+      expect(page.find('svg.mermaid')).to have_content escaped_content
     end
   end