npm - flowchart-sequence-designer - Versions diffs - 1.0.1 → 1.2.0 - Mend

flowchart-sequence-designer 1.0.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/index.js CHANGED Viewed

@@ -9,7 +9,15 @@ var Model = class _Model {
    * @param variant  Optional UI variant (flowchart models only).
    */
   constructor(type, title, variant) {
-    this.data = { type, ...variant ? { variant } : {}, title, nodes: [], edges: [], actors: [], messages: [] };
+    this.data = {
+      type,
+      ...variant ? { variant } : {},
+      title,
+      nodes: [],
+      edges: [],
+      actors: [],
+      messages: []
+    };
   }
   /**
    * Rehydrate a `Model` from a previously serialized `DiagramModel`. The
@@ -45,7 +53,8 @@ var Model = class _Model {
   updateNode(id, patch) {
     const node = this.data.nodes.find((n) => n.id === id);
     if (!node) throw new Error(`Node "${id}" not found`);
-    Object.assign(node, patch);
+    const { __proto__, constructor, ...safe } = patch;
+    Object.assign(node, safe);
     return this;
   }
   /**
@@ -85,15 +94,35 @@ var Model = class _Model {
     const errors = [];
     const nodeIds = /* @__PURE__ */ new Set();
     for (const n of this.data.nodes) {
-      if (nodeIds.has(n.id)) errors.push({ kind: "duplicate-node-id", id: n.id, message: `Duplicate node id "${n.id}"` });
+      if (nodeIds.has(n.id))
+        errors.push({
+          kind: "duplicate-node-id",
+          id: n.id,
+          message: `Duplicate node id "${n.id}"`
+        });
       nodeIds.add(n.id);
     }
     const edgeIds = /* @__PURE__ */ new Set();
     for (const e of this.data.edges) {
-      if (edgeIds.has(e.id)) errors.push({ kind: "duplicate-edge-id", id: e.id, message: `Duplicate edge id "${e.id}"` });
+      if (edgeIds.has(e.id))
+        errors.push({
+          kind: "duplicate-edge-id",
+          id: e.id,
+          message: `Duplicate edge id "${e.id}"`
+        });
       edgeIds.add(e.id);
-      if (!nodeIds.has(e.from)) errors.push({ kind: "dangling-from", id: e.id, message: `Edge "${e.id}" references unknown source node "${e.from}"` });
-      if (!nodeIds.has(e.to)) errors.push({ kind: "dangling-to", id: e.id, message: `Edge "${e.id}" references unknown target node "${e.to}"` });
+      if (!nodeIds.has(e.from))
+        errors.push({
+          kind: "dangling-from",
+          id: e.id,
+          message: `Edge "${e.id}" references unknown source node "${e.from}"`
+        });
+      if (!nodeIds.has(e.to))
+        errors.push({
+          kind: "dangling-to",
+          id: e.id,
+          message: `Edge "${e.id}" references unknown target node "${e.to}"`
+        });
     }
     return errors;
   }
@@ -302,7 +331,9 @@ function computeLayout(model) {
     const h = isQuestion(n, model.variant) ? questionNodeH(n.metadata?.answers ?? []) : NODE_H;
     return { node: n, w, h };
   });
-  const allPositioned = sized.every((s) => typeof s.node.x === "number" && typeof s.node.y === "number");
+  const allPositioned = sized.every(
+    (s) => typeof s.node.x === "number" && typeof s.node.y === "number"
+  );
   if (allPositioned) {
     for (const s of sized) {
       boxes.set(s.node.id, { x: s.node.x, y: s.node.y, w: s.w, h: s.h });
@@ -352,7 +383,15 @@ function computeLayout(model) {
   return boxes;
 }
 function escapeXML(s) {
-  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function sanitizeForSVG(s) {
+  let clean = s;
+  clean = clean.replace(/<\/?[a-zA-Z][^>]*>/g, "");
+  clean = clean.replace(/\b(?:javascript|data|vbscript)\s*:/gi, "");
+  clean = clean.replace(/\bon[a-z]+\s*=/gi, "");
+  clean = clean.replace(/\x00/g, "");
+  return escapeXML(clean);
 }
 var COLORS = {
   bg: "#fafbfc",
@@ -371,8 +410,8 @@ function renderStandardNode(node, box) {
   const cx = box.x + box.w / 2;
   const cy = box.y + box.h / 2;
   const shape = node.shape ?? "rectangle";
-  const label = `<text x="${cx}" y="${cy + 4.5}" text-anchor="middle" font-family="ui-sans-serif,system-ui,-apple-system,sans-serif" font-size="13" font-weight="500" fill="${COLORS.text}">${escapeXML(node.label)}</text>`;
-  let shapeEl = "";
+  const label = `<text x="${cx}" y="${cy + 4.5}" text-anchor="middle" font-family="ui-sans-serif,system-ui,-apple-system,sans-serif" font-size="13" font-weight="500" fill="${COLORS.text}">${sanitizeForSVG(node.label)}</text>`;
+  let shapeEl;
   if (shape === "diamond") {
     const pts = `${cx},${box.y} ${box.x + box.w},${cy} ${cx},${box.y + box.h} ${box.x},${cy}`;
     shapeEl = `<polygon points="${pts}" fill="${COLORS.nodeFill}" stroke="${COLORS.nodeStroke}" stroke-width="1.25" filter="url(#nodeShadow)"/>`;
@@ -392,17 +431,37 @@ function renderQuestionNode(node, box) {
   const clipId = `qhdr-${node.id.replace(/[^a-zA-Z0-9_-]/g, "_")}`;
   const x = box.x, y = box.y, w = box.w, h = box.h;
   const parts = [];
-  parts.push(`<rect x="${x}" y="${y}" width="${w}" height="${h}" rx="14" fill="${COLORS.nodeFill}" stroke="${COLORS.amberLine}" stroke-width="1.5" filter="url(#nodeShadow)"/>`);
-  parts.push(`<defs><clipPath id="${clipId}"><rect x="${x}" y="${y}" width="${w}" height="${Q_BASE_H}" rx="14"/></clipPath></defs>`);
-  parts.push(`<rect x="${x}" y="${y}" width="${w}" height="${Q_BASE_H}" fill="${COLORS.amberSoft}" clip-path="url(#${clipId})"/>`);
-  parts.push(`<rect x="${x}" y="${y}" width="4" height="${Q_BASE_H}" rx="2" fill="${COLORS.amber}"/>`);
-  parts.push(`<rect x="${x + 12}" y="${y + 14}" width="28" height="28" rx="8" fill="${COLORS.amber}"/>`);
-  parts.push(`<text x="${x + 26}" y="${y + 33}" text-anchor="middle" font-size="15" font-weight="900" fill="white">?</text>`);
-  parts.push(`<text x="${x + 50}" y="${y + 27}" font-family="ui-sans-serif,system-ui,sans-serif" font-size="9" font-weight="700" fill="${COLORS.textSub}" letter-spacing="0.6">QUESTION</text>`);
-  parts.push(`<text x="${x + 50}" y="${y + 42}" font-family="ui-sans-serif,system-ui,sans-serif" font-size="13" font-weight="700" fill="${COLORS.text}">${escapeXML(node.label)}</text>`);
-  parts.push(`<line x1="${x}" y1="${y + Q_BASE_H}" x2="${x + w}" y2="${y + Q_BASE_H}" stroke="${COLORS.amberLine}" stroke-width="1"/>`);
+  parts.push(
+    `<rect x="${x}" y="${y}" width="${w}" height="${h}" rx="14" fill="${COLORS.nodeFill}" stroke="${COLORS.amberLine}" stroke-width="1.5" filter="url(#nodeShadow)"/>`
+  );
+  parts.push(
+    `<defs><clipPath id="${clipId}"><rect x="${x}" y="${y}" width="${w}" height="${Q_BASE_H}" rx="14"/></clipPath></defs>`
+  );
+  parts.push(
+    `<rect x="${x}" y="${y}" width="${w}" height="${Q_BASE_H}" fill="${COLORS.amberSoft}" clip-path="url(#${clipId})"/>`
+  );
+  parts.push(
+    `<rect x="${x}" y="${y}" width="4" height="${Q_BASE_H}" rx="2" fill="${COLORS.amber}"/>`
+  );
+  parts.push(
+    `<rect x="${x + 12}" y="${y + 14}" width="28" height="28" rx="8" fill="${COLORS.amber}"/>`
+  );
+  parts.push(
+    `<text x="${x + 26}" y="${y + 33}" text-anchor="middle" font-size="15" font-weight="900" fill="white">?</text>`
+  );
+  parts.push(
+    `<text x="${x + 50}" y="${y + 27}" font-family="ui-sans-serif,system-ui,sans-serif" font-size="9" font-weight="700" fill="${COLORS.textSub}" letter-spacing="0.6">QUESTION</text>`
+  );
+  parts.push(
+    `<text x="${x + 50}" y="${y + 42}" font-family="ui-sans-serif,system-ui,sans-serif" font-size="13" font-weight="700" fill="${COLORS.text}">${sanitizeForSVG(node.label)}</text>`
+  );
+  parts.push(
+    `<line x1="${x}" y1="${y + Q_BASE_H}" x2="${x + w}" y2="${y + Q_BASE_H}" stroke="${COLORS.amberLine}" stroke-width="1"/>`
+  );
   if (answers.length === 0) {
-    parts.push(`<text x="${x + w / 2}" y="${y + Q_BASE_H + 22}" text-anchor="middle" font-size="10" fill="${COLORS.amber}" opacity="0.4" font-weight="600">No answers yet</text>`);
+    parts.push(
+      `<text x="${x + w / 2}" y="${y + Q_BASE_H + 22}" text-anchor="middle" font-size="10" fill="${COLORS.amber}" opacity="0.4" font-weight="600">No answers yet</text>`
+    );
   } else {
     const letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
     answers.forEach((ans, i) => {
@@ -415,10 +474,18 @@ function renderQuestionNode(node, box) {
       const letter = i < 26 ? letters[i] : `${i + 1}`;
       const maxChars = Math.max(2, Math.floor((cW - 20) / 7.5));
       const displayAns = ans.length > maxChars ? ans.slice(0, maxChars - 1) + "\u2026" : ans;
-      parts.push(`<rect x="${cardX}" y="${cardY}" width="${cW}" height="${cardH}" rx="8" fill="${COLORS.amberCardBg}" stroke="${COLORS.amberLine}" stroke-width="1"/>`);
-      parts.push(`<rect x="${cx - 11}" y="${cardY + 7}" width="22" height="22" rx="6" fill="#fef3c7"/>`);
-      parts.push(`<text x="${cx}" y="${cardY + 22}" text-anchor="middle" font-size="10" font-weight="800" fill="${COLORS.amber}">${escapeXML(letter)}</text>`);
-      parts.push(`<text x="${cx}" y="${cardY + 46}" text-anchor="middle" font-size="11" font-weight="500" fill="#374151" font-family="ui-sans-serif,system-ui,sans-serif">${escapeXML(displayAns)}</text>`);
+      parts.push(
+        `<rect x="${cardX}" y="${cardY}" width="${cW}" height="${cardH}" rx="8" fill="${COLORS.amberCardBg}" stroke="${COLORS.amberLine}" stroke-width="1"/>`
+      );
+      parts.push(
+        `<rect x="${cx - 11}" y="${cardY + 7}" width="22" height="22" rx="6" fill="#fef3c7"/>`
+      );
+      parts.push(
+        `<text x="${cx}" y="${cardY + 22}" text-anchor="middle" font-size="10" font-weight="800" fill="${COLORS.amber}">${sanitizeForSVG(letter)}</text>`
+      );
+      parts.push(
+        `<text x="${cx}" y="${cardY + 46}" text-anchor="middle" font-size="11" font-weight="500" fill="#374151" font-family="ui-sans-serif,system-ui,sans-serif">${sanitizeForSVG(displayAns)}</text>`
+      );
     });
   }
   return parts.join("");
@@ -456,7 +523,7 @@ function renderEdge(edge, boxes, variant, nodes) {
     const midY = (y1 + y2) / 2;
     const labelW = estimateTextW(edge.label, 7) + 14;
     out += `<rect x="${midX - labelW / 2}" y="${midY - 11}" width="${labelW}" height="18" rx="9" fill="${COLORS.bg}" stroke="${COLORS.nodeStroke}" stroke-width="1"/>`;
-    out += `<text x="${midX}" y="${midY + 2}" text-anchor="middle" font-family="ui-sans-serif,system-ui,sans-serif" font-size="11" fill="${COLORS.text}">${escapeXML(edge.label)}</text>`;
+    out += `<text x="${midX}" y="${midY + 2}" text-anchor="middle" font-family="ui-sans-serif,system-ui,sans-serif" font-size="11" fill="${COLORS.text}">${sanitizeForSVG(edge.label)}</text>`;
   }
   return out;
 }
@@ -482,7 +549,7 @@ function toSVG(model) {
     `</marker>`,
     `</defs>`
   ].join("");
-  const titleEl = model.title ? `<text x="${width / 2}" y="22" text-anchor="middle" font-family="ui-sans-serif,system-ui,sans-serif" font-size="15" font-weight="700" fill="${COLORS.text}">${escapeXML(model.title)}</text>` : "";
+  const titleEl = model.title ? `<text x="${width / 2}" y="22" text-anchor="middle" font-family="ui-sans-serif,system-ui,sans-serif" font-size="15" font-weight="700" fill="${COLORS.text}">${sanitizeForSVG(model.title)}</text>` : "";
   const edges = model.edges.map((e) => renderEdge(e, boxes, model.variant, model.nodes)).join("\n");
   const nodes = model.nodes.map((n) => {
     const b = boxes.get(n.id);
@@ -499,7 +566,9 @@ ${nodes}
 }
 async function toPNG(model) {
   if (typeof document === "undefined") {
-    throw new Error("toPNG requires a browser environment. For Node/Bun server use, pipe toSVG() through @resvg/resvg-js.");
+    throw new Error(
+      "toPNG requires a browser environment. For Node/Bun server use, pipe toSVG() through @resvg/resvg-js."
+    );
   }
   const svg = toSVG(model);
   const blob = new Blob([svg], { type: "image/svg+xml" });
@@ -515,7 +584,10 @@ async function toPNG(model) {
       ctx.scale(scale, scale);
       ctx.drawImage(img, 0, 0);
       URL.revokeObjectURL(url);
-      canvas.toBlob((b) => b ? resolve(b) : reject(new Error("Canvas toBlob failed")), "image/png");
+      canvas.toBlob(
+        (b) => b ? resolve(b) : reject(new Error("Canvas toBlob failed")),
+        "image/png"
+      );
     };
     img.onerror = () => {
       URL.revokeObjectURL(url);
@@ -612,7 +684,13 @@ var SequenceBuilder = class {
     this.model.addActor(from);
     this.model.addActor(to);
     const messages = this.model.toJSON().messages ?? [];
-    this.model.addMessage({ id: nextId("m", messages), from, to, label, style: options.style ?? "solid" });
+    this.model.addMessage({
+      id: nextId("m", messages),
+      from,
+      to,
+      label,
+      style: options.style ?? "solid"
+    });
     return this;
   }
   /** Convenience for a `dashed`-style return message. */
@@ -640,6 +718,31 @@ function sequence(title) {
   return new SequenceBuilder(title);
 }
+// src/core/sanitize.ts
+var MAX_LABEL_LENGTH = 2e3;
+var MAX_NODES = 500;
+var MAX_EDGES = 2e3;
+var MAX_ACTORS = 100;
+var MAX_MESSAGES = 2e3;
+var MAX_IMPORT_LENGTH = 2 * 1024 * 1024;
+function sanitizeLabel(raw) {
+  let s = raw;
+  s = s.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "");
+  s = s.replace(/<\/?[a-zA-Z][^>]*>/g, "");
+  s = s.replace(/\b(?:javascript|data|vbscript)\s*:/gi, "");
+  s = s.replace(/\bon[a-z]+\s*=/gi, "");
+  if (s.length > MAX_LABEL_LENGTH) {
+    s = s.slice(0, MAX_LABEL_LENGTH);
+  }
+  return s;
+}
+function sanitizeURL(url) {
+  const trimmed = url.trim();
+  if (trimmed.startsWith("/") || trimmed.startsWith("#")) return trimmed;
+  if (/^https?:\/\//i.test(trimmed) || /^mailto:/i.test(trimmed)) return trimmed;
+  return void 0;
+}
 // src/importers/mermaid.ts
 function parseNodeDecl(raw) {
   const patterns = [
@@ -651,7 +754,7 @@ function parseNodeDecl(raw) {
   ];
   for (const [re, shape] of patterns) {
     const m = raw.match(re);
-    if (m) return { id: m[1], label: m[2].replace(/^["']|["']$/g, ""), shape };
+    if (m) return { id: m[1], label: sanitizeLabel(m[2].replace(/^["']|["']$/g, "")), shape };
   }
   return null;
 }
@@ -666,8 +769,11 @@ function parseFlowchart(lines) {
   const model = new Model("flowchart");
   const nodeMap = /* @__PURE__ */ new Map();
   const groupStack = [];
+  let edgeCount = 0;
   const ensureNode = (id, group) => {
     if (!nodeMap.has(id)) {
+      if (nodeMap.size >= MAX_NODES)
+        throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_NODES} nodes`);
       nodeMap.set(id, true);
       const metadata = group ? { group } : void 0;
       model.addNode({ id, label: id, shape: "rectangle", ...metadata ? { metadata } : {} });
@@ -676,7 +782,8 @@ function parseFlowchart(lines) {
   for (const line of lines) {
     const trimmed = line.trim();
     if (!trimmed) continue;
-    if (trimmed.startsWith("%%") || trimmed.startsWith("graph") || trimmed.startsWith("flowchart") || trimmed.startsWith("click ") || trimmed.startsWith("classDef ") || trimmed.startsWith("class ") || trimmed.startsWith("style ") || trimmed.startsWith("linkStyle ")) continue;
+    if (trimmed.startsWith("%%") || trimmed.startsWith("graph") || trimmed.startsWith("flowchart") || trimmed.startsWith("click ") || trimmed.startsWith("classDef ") || trimmed.startsWith("class ") || trimmed.startsWith("style ") || trimmed.startsWith("linkStyle "))
+      continue;
     const subgraphOpen = trimmed.match(/^subgraph\s+(\S+)/i);
     if (subgraphOpen) {
       groupStack.push(subgraphOpen[1]);
@@ -692,12 +799,15 @@ function parseFlowchart(lines) {
       const fromRaw = edgeMatch[1].trim();
       const connector = edgeMatch[2];
       const label = edgeMatch[3]?.replace(/^["']|["']$/g, "");
+      const sanitizedLabel = label ? sanitizeLabel(label) : void 0;
       const toRaw = edgeMatch[4].trim();
       const style = detectStyle(connector);
       const arrowhead = detectArrowhead(connector);
       const fromNode = parseNodeDecl(fromRaw);
       const toNode = parseNodeDecl(toRaw);
       if (fromNode && !nodeMap.has(fromNode.id)) {
+        if (nodeMap.size >= MAX_NODES)
+          throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_NODES} nodes`);
         nodeMap.set(fromNode.id, true);
         const metadata = currentGroup ? { group: currentGroup } : void 0;
         model.addNode({ ...fromNode, ...metadata ? { metadata } : {} });
@@ -705,19 +815,24 @@ function parseFlowchart(lines) {
         ensureNode(fromRaw.replace(/\W.*/, ""), currentGroup);
       }
       if (toNode && !nodeMap.has(toNode.id)) {
+        if (nodeMap.size >= MAX_NODES)
+          throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_NODES} nodes`);
         nodeMap.set(toNode.id, true);
         const metadata = currentGroup ? { group: currentGroup } : void 0;
         model.addNode({ ...toNode, ...metadata ? { metadata } : {} });
       } else if (!toNode) {
         ensureNode(toRaw.replace(/\W.*/, ""), currentGroup);
       }
+      if (edgeCount >= MAX_EDGES)
+        throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_EDGES} edges`);
+      edgeCount++;
       const fromId = fromNode?.id ?? fromRaw.replace(/\W.*/, "");
       const toId = toNode?.id ?? toRaw.replace(/\W.*/, "");
       model.addEdge({
         id: nextId("e", model.toJSON().edges),
         from: fromId,
         to: toId,
-        ...label ? { label } : {},
+        ...sanitizedLabel ? { label: sanitizedLabel } : {},
         style,
         ...arrowhead === "none" ? { arrowhead } : {}
       });
@@ -725,6 +840,8 @@ function parseFlowchart(lines) {
     }
     const nodeDecl = parseNodeDecl(trimmed);
     if (nodeDecl && !nodeMap.has(nodeDecl.id)) {
+      if (nodeMap.size >= MAX_NODES)
+        throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_NODES} nodes`);
       nodeMap.set(nodeDecl.id, true);
       const metadata = currentGroup ? { group: currentGroup } : void 0;
       model.addNode({ ...nodeDecl, ...metadata ? { metadata } : {} });
@@ -734,34 +851,56 @@ function parseFlowchart(lines) {
 }
 function parseSequence(lines, title) {
   const model = new Model("sequence", title);
+  let actorCount = 0;
+  let messageCount = 0;
+  const safeAddActor = (name) => {
+    const safeName = sanitizeLabel(name);
+    if (!model.toJSON().actors?.includes(safeName)) {
+      if (actorCount >= MAX_ACTORS)
+        throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_ACTORS} actors`);
+      actorCount++;
+    }
+    model.addActor(safeName);
+    return safeName;
+  };
   for (const line of lines) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("sequenceDiagram") || trimmed.startsWith("%%")) continue;
     const participantMatch = trimmed.match(/^participant\s+(.+)$/i);
     if (participantMatch) {
-      model.addActor(participantMatch[1].trim());
+      safeAddActor(participantMatch[1].trim());
       continue;
     }
     const actorMatch = trimmed.match(/^actor\s+(.+)$/i);
     if (actorMatch) {
-      model.addActor(actorMatch[1].trim());
+      safeAddActor(actorMatch[1].trim());
       continue;
     }
     const msgMatch = trimmed.match(/^(.+?)\s*(-->>|->>|-->|->)\s*(.+?):\s*(.+)$/);
     if (msgMatch) {
-      const from = msgMatch[1].trim();
+      const from = safeAddActor(msgMatch[1].trim());
       const arrow = msgMatch[2];
-      const to = msgMatch[3].trim();
-      const label = msgMatch[4].trim();
-      model.addActor(from);
-      model.addActor(to);
+      const to = safeAddActor(msgMatch[3].trim());
+      const label = sanitizeLabel(msgMatch[4].trim());
+      if (messageCount >= MAX_MESSAGES)
+        throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_MESSAGES} messages`);
+      messageCount++;
       const messages = model.toJSON().messages ?? [];
-      model.addMessage({ id: nextId("m", messages), from, to, label, style: arrow.startsWith("--") ? "dashed" : "solid" });
+      model.addMessage({
+        id: nextId("m", messages),
+        from,
+        to,
+        label,
+        style: arrow.startsWith("--") ? "dashed" : "solid"
+      });
     }
   }
   return model;
 }
 function fromMermaid(mermaid) {
+  if (mermaid.length > MAX_IMPORT_LENGTH) {
+    throw new Error(`Import aborted: input exceeds the maximum of ${MAX_IMPORT_LENGTH} characters`);
+  }
   const cleaned = mermaid.replace(/mermaid\.initialize\([\s\S]*?\)\s*;?/g, "");
   const rawLines = cleaned.split("\n");
   let startIdx = 0;
@@ -793,10 +932,74 @@ function fromMermaid(mermaid) {
 }
 // src/importers/json.ts
+function stripDangerousKeys(obj) {
+  if (Array.isArray(obj)) return obj.map(stripDangerousKeys);
+  if (obj !== null && typeof obj === "object") {
+    const clean = {};
+    for (const [key, val] of Object.entries(obj)) {
+      if (key === "__proto__" || key === "constructor" || key === "prototype") continue;
+      clean[key] = stripDangerousKeys(val);
+    }
+    return clean;
+  }
+  return obj;
+}
 function fromJSON(json) {
-  const data = typeof json === "string" ? JSON.parse(json) : json;
-  if (!data.type || !Array.isArray(data.nodes) || !Array.isArray(data.edges)) {
-    throw new Error("Invalid DiagramModel JSON");
+  if (typeof json === "string" && json.length > MAX_IMPORT_LENGTH) {
+    throw new Error(`Import aborted: input exceeds the maximum of ${MAX_IMPORT_LENGTH} characters`);
+  }
+  const raw = typeof json === "string" ? JSON.parse(json) : json;
+  const data = stripDangerousKeys(raw);
+  if (typeof data !== "object" || data === null || Array.isArray(data)) {
+    throw new Error("Invalid DiagramModel JSON: expected an object");
+  }
+  if (data.type !== "flowchart" && data.type !== "sequence") {
+    throw new Error(`Invalid DiagramModel JSON: unknown type "${data.type}"`);
+  }
+  if (!Array.isArray(data.nodes) || !Array.isArray(data.edges)) {
+    throw new Error("Invalid DiagramModel JSON: nodes and edges must be arrays");
+  }
+  if (data.nodes.length > MAX_NODES) {
+    throw new Error(
+      `Import aborted: diagram has ${data.nodes.length} nodes, maximum is ${MAX_NODES}`
+    );
+  }
+  if (data.edges.length > MAX_EDGES) {
+    throw new Error(
+      `Import aborted: diagram has ${data.edges.length} edges, maximum is ${MAX_EDGES}`
+    );
+  }
+  if (data.actors && data.actors.length > MAX_ACTORS) {
+    throw new Error(
+      `Import aborted: diagram has ${data.actors.length} actors, maximum is ${MAX_ACTORS}`
+    );
+  }
+  if (data.messages && data.messages.length > MAX_MESSAGES) {
+    throw new Error(
+      `Import aborted: diagram has ${data.messages.length} messages, maximum is ${MAX_MESSAGES}`
+    );
+  }
+  for (const node of data.nodes) {
+    if (typeof node !== "object" || node === null || typeof node.id !== "string" || typeof node.label !== "string") {
+      throw new Error("Invalid DiagramModel JSON: each node must have string id and label");
+    }
+    node.label = sanitizeLabel(node.label);
+  }
+  for (const edge of data.edges) {
+    if (typeof edge !== "object" || edge === null || typeof edge.id !== "string" || typeof edge.from !== "string" || typeof edge.to !== "string") {
+      throw new Error("Invalid DiagramModel JSON: each edge must have string id, from, and to");
+    }
+    if (edge.label) edge.label = sanitizeLabel(edge.label);
+  }
+  if (data.actors) {
+    data.actors = data.actors.map((a) => typeof a === "string" ? sanitizeLabel(a) : a);
+  }
+  if (data.messages) {
+    for (const msg of data.messages) {
+      if (typeof msg === "object" && msg !== null && typeof msg.label === "string") {
+        msg.label = sanitizeLabel(msg.label);
+      }
+    }
   }
   return Model.fromData(data);
 }
@@ -807,6 +1010,8 @@ export {
   flowchart,
   fromJSON,
   fromMermaid,
+  sanitizeLabel,
+  sanitizeURL,
   sequence,
   toJSON,
   toMermaid,