flowchart-sequence-designer 1.1.0 → 1.2.1

package/dist/index.cjs

@@ -26,6 +26,8 @@ __export(src_exports, {
   flowchart: () => flowchart,
   fromJSON: () => fromJSON,
   fromMermaid: () => fromMermaid,
+  sanitizeLabel: () => sanitizeLabel,
+  sanitizeURL: () => sanitizeURL,
   sequence: () => sequence,
   toJSON: () => toJSON,
   toMermaid: () => toMermaid,
@@ -46,7 +48,15 @@ var Model = class _Model {
    * @param variant  Optional UI variant (flowchart models only).
    */
   constructor(type, title, variant) {
-    this.data = { type, ...variant ? { variant } : {}, title, nodes: [], edges: [], actors: [], messages: [] };
+    this.data = {
+      type,
+      ...variant ? { variant } : {},
+      title,
+      nodes: [],
+      edges: [],
+      actors: [],
+      messages: []
+    };
   }
   /**
    * Rehydrate a `Model` from a previously serialized `DiagramModel`. The
@@ -82,7 +92,8 @@ var Model = class _Model {
   updateNode(id, patch) {
     const node = this.data.nodes.find((n) => n.id === id);
     if (!node) throw new Error(`Node "${id}" not found`);
-    Object.assign(node, patch);
+    const { __proto__, constructor, ...safe } = patch;
+    Object.assign(node, safe);
     return this;
   }
   /**
@@ -122,15 +133,35 @@ var Model = class _Model {
     const errors = [];
     const nodeIds = /* @__PURE__ */ new Set();
     for (const n of this.data.nodes) {
-      if (nodeIds.has(n.id)) errors.push({ kind: "duplicate-node-id", id: n.id, message: `Duplicate node id "${n.id}"` });
+      if (nodeIds.has(n.id))
+        errors.push({
+          kind: "duplicate-node-id",
+          id: n.id,
+          message: `Duplicate node id "${n.id}"`
+        });
       nodeIds.add(n.id);
     }
     const edgeIds = /* @__PURE__ */ new Set();
     for (const e of this.data.edges) {
-      if (edgeIds.has(e.id)) errors.push({ kind: "duplicate-edge-id", id: e.id, message: `Duplicate edge id "${e.id}"` });
+      if (edgeIds.has(e.id))
+        errors.push({
+          kind: "duplicate-edge-id",
+          id: e.id,
+          message: `Duplicate edge id "${e.id}"`
+        });
       edgeIds.add(e.id);
-      if (!nodeIds.has(e.from)) errors.push({ kind: "dangling-from", id: e.id, message: `Edge "${e.id}" references unknown source node "${e.from}"` });
-      if (!nodeIds.has(e.to)) errors.push({ kind: "dangling-to", id: e.id, message: `Edge "${e.id}" references unknown target node "${e.to}"` });
+      if (!nodeIds.has(e.from))
+        errors.push({
+          kind: "dangling-from",
+          id: e.id,
+          message: `Edge "${e.id}" references unknown source node "${e.from}"`
+        });
+      if (!nodeIds.has(e.to))
+        errors.push({
+          kind: "dangling-to",
+          id: e.id,
+          message: `Edge "${e.id}" references unknown target node "${e.to}"`
+        });
     }
     return errors;
   }
@@ -339,7 +370,9 @@ function computeLayout(model) {
     const h = isQuestion(n, model.variant) ? questionNodeH(n.metadata?.answers ?? []) : NODE_H;
     return { node: n, w, h };
   });
-  const allPositioned = sized.every((s) => typeof s.node.x === "number" && typeof s.node.y === "number");
+  const allPositioned = sized.every(
+    (s) => typeof s.node.x === "number" && typeof s.node.y === "number"
+  );
   if (allPositioned) {
     for (const s of sized) {
       boxes.set(s.node.id, { x: s.node.x, y: s.node.y, w: s.w, h: s.h });
@@ -389,7 +422,15 @@ function computeLayout(model) {
   return boxes;
 }
 function escapeXML(s) {
-  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function sanitizeForSVG(s) {
+  let clean = s;
+  clean = clean.replace(/<\/?[a-zA-Z][^>]*>/g, "");
+  clean = clean.replace(/\b(?:javascript|data|vbscript)\s*:/gi, "");
+  clean = clean.replace(/\bon[a-z]+\s*=/gi, "");
+  clean = clean.replace(/\x00/g, "");
+  return escapeXML(clean);
 }
 var COLORS = {
   bg: "#fafbfc",
@@ -408,8 +449,8 @@ function renderStandardNode(node, box) {
   const cx = box.x + box.w / 2;
   const cy = box.y + box.h / 2;
   const shape = node.shape ?? "rectangle";
-  const label = `<text x="${cx}" y="${cy + 4.5}" text-anchor="middle" font-family="ui-sans-serif,system-ui,-apple-system,sans-serif" font-size="13" font-weight="500" fill="${COLORS.text}">${escapeXML(node.label)}</text>`;
-  let shapeEl = "";
+  const label = `<text x="${cx}" y="${cy + 4.5}" text-anchor="middle" font-family="ui-sans-serif,system-ui,-apple-system,sans-serif" font-size="13" font-weight="500" fill="${COLORS.text}">${sanitizeForSVG(node.label)}</text>`;
+  let shapeEl;
   if (shape === "diamond") {
     const pts = `${cx},${box.y} ${box.x + box.w},${cy} ${cx},${box.y + box.h} ${box.x},${cy}`;
     shapeEl = `<polygon points="${pts}" fill="${COLORS.nodeFill}" stroke="${COLORS.nodeStroke}" stroke-width="1.25" filter="url(#nodeShadow)"/>`;
@@ -429,17 +470,37 @@ function renderQuestionNode(node, box) {
   const clipId = `qhdr-${node.id.replace(/[^a-zA-Z0-9_-]/g, "_")}`;
   const x = box.x, y = box.y, w = box.w, h = box.h;
   const parts = [];
-  parts.push(`<rect x="${x}" y="${y}" width="${w}" height="${h}" rx="14" fill="${COLORS.nodeFill}" stroke="${COLORS.amberLine}" stroke-width="1.5" filter="url(#nodeShadow)"/>`);
-  parts.push(`<defs><clipPath id="${clipId}"><rect x="${x}" y="${y}" width="${w}" height="${Q_BASE_H}" rx="14"/></clipPath></defs>`);
-  parts.push(`<rect x="${x}" y="${y}" width="${w}" height="${Q_BASE_H}" fill="${COLORS.amberSoft}" clip-path="url(#${clipId})"/>`);
-  parts.push(`<rect x="${x}" y="${y}" width="4" height="${Q_BASE_H}" rx="2" fill="${COLORS.amber}"/>`);
-  parts.push(`<rect x="${x + 12}" y="${y + 14}" width="28" height="28" rx="8" fill="${COLORS.amber}"/>`);
-  parts.push(`<text x="${x + 26}" y="${y + 33}" text-anchor="middle" font-size="15" font-weight="900" fill="white">?</text>`);
-  parts.push(`<text x="${x + 50}" y="${y + 27}" font-family="ui-sans-serif,system-ui,sans-serif" font-size="9" font-weight="700" fill="${COLORS.textSub}" letter-spacing="0.6">QUESTION</text>`);
-  parts.push(`<text x="${x + 50}" y="${y + 42}" font-family="ui-sans-serif,system-ui,sans-serif" font-size="13" font-weight="700" fill="${COLORS.text}">${escapeXML(node.label)}</text>`);
-  parts.push(`<line x1="${x}" y1="${y + Q_BASE_H}" x2="${x + w}" y2="${y + Q_BASE_H}" stroke="${COLORS.amberLine}" stroke-width="1"/>`);
+  parts.push(
+    `<rect x="${x}" y="${y}" width="${w}" height="${h}" rx="14" fill="${COLORS.nodeFill}" stroke="${COLORS.amberLine}" stroke-width="1.5" filter="url(#nodeShadow)"/>`
+  );
+  parts.push(
+    `<defs><clipPath id="${clipId}"><rect x="${x}" y="${y}" width="${w}" height="${Q_BASE_H}" rx="14"/></clipPath></defs>`
+  );
+  parts.push(
+    `<rect x="${x}" y="${y}" width="${w}" height="${Q_BASE_H}" fill="${COLORS.amberSoft}" clip-path="url(#${clipId})"/>`
+  );
+  parts.push(
+    `<rect x="${x}" y="${y}" width="4" height="${Q_BASE_H}" rx="2" fill="${COLORS.amber}"/>`
+  );
+  parts.push(
+    `<rect x="${x + 12}" y="${y + 14}" width="28" height="28" rx="8" fill="${COLORS.amber}"/>`
+  );
+  parts.push(
+    `<text x="${x + 26}" y="${y + 33}" text-anchor="middle" font-size="15" font-weight="900" fill="white">?</text>`
+  );
+  parts.push(
+    `<text x="${x + 50}" y="${y + 27}" font-family="ui-sans-serif,system-ui,sans-serif" font-size="9" font-weight="700" fill="${COLORS.textSub}" letter-spacing="0.6">QUESTION</text>`
+  );
+  parts.push(
+    `<text x="${x + 50}" y="${y + 42}" font-family="ui-sans-serif,system-ui,sans-serif" font-size="13" font-weight="700" fill="${COLORS.text}">${sanitizeForSVG(node.label)}</text>`
+  );
+  parts.push(
+    `<line x1="${x}" y1="${y + Q_BASE_H}" x2="${x + w}" y2="${y + Q_BASE_H}" stroke="${COLORS.amberLine}" stroke-width="1"/>`
+  );
   if (answers.length === 0) {
-    parts.push(`<text x="${x + w / 2}" y="${y + Q_BASE_H + 22}" text-anchor="middle" font-size="10" fill="${COLORS.amber}" opacity="0.4" font-weight="600">No answers yet</text>`);
+    parts.push(
+      `<text x="${x + w / 2}" y="${y + Q_BASE_H + 22}" text-anchor="middle" font-size="10" fill="${COLORS.amber}" opacity="0.4" font-weight="600">No answers yet</text>`
+    );
   } else {
     const letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
     answers.forEach((ans, i) => {
@@ -452,10 +513,18 @@ function renderQuestionNode(node, box) {
       const letter = i < 26 ? letters[i] : `${i + 1}`;
       const maxChars = Math.max(2, Math.floor((cW - 20) / 7.5));
       const displayAns = ans.length > maxChars ? ans.slice(0, maxChars - 1) + "\u2026" : ans;
-      parts.push(`<rect x="${cardX}" y="${cardY}" width="${cW}" height="${cardH}" rx="8" fill="${COLORS.amberCardBg}" stroke="${COLORS.amberLine}" stroke-width="1"/>`);
-      parts.push(`<rect x="${cx - 11}" y="${cardY + 7}" width="22" height="22" rx="6" fill="#fef3c7"/>`);
-      parts.push(`<text x="${cx}" y="${cardY + 22}" text-anchor="middle" font-size="10" font-weight="800" fill="${COLORS.amber}">${escapeXML(letter)}</text>`);
-      parts.push(`<text x="${cx}" y="${cardY + 46}" text-anchor="middle" font-size="11" font-weight="500" fill="#374151" font-family="ui-sans-serif,system-ui,sans-serif">${escapeXML(displayAns)}</text>`);
+      parts.push(
+        `<rect x="${cardX}" y="${cardY}" width="${cW}" height="${cardH}" rx="8" fill="${COLORS.amberCardBg}" stroke="${COLORS.amberLine}" stroke-width="1"/>`
+      );
+      parts.push(
+        `<rect x="${cx - 11}" y="${cardY + 7}" width="22" height="22" rx="6" fill="#fef3c7"/>`
+      );
+      parts.push(
+        `<text x="${cx}" y="${cardY + 22}" text-anchor="middle" font-size="10" font-weight="800" fill="${COLORS.amber}">${sanitizeForSVG(letter)}</text>`
+      );
+      parts.push(
+        `<text x="${cx}" y="${cardY + 46}" text-anchor="middle" font-size="11" font-weight="500" fill="#374151" font-family="ui-sans-serif,system-ui,sans-serif">${sanitizeForSVG(displayAns)}</text>`
+      );
     });
   }
   return parts.join("");
@@ -493,7 +562,7 @@ function renderEdge(edge, boxes, variant, nodes) {
     const midY = (y1 + y2) / 2;
     const labelW = estimateTextW(edge.label, 7) + 14;
     out += `<rect x="${midX - labelW / 2}" y="${midY - 11}" width="${labelW}" height="18" rx="9" fill="${COLORS.bg}" stroke="${COLORS.nodeStroke}" stroke-width="1"/>`;
-    out += `<text x="${midX}" y="${midY + 2}" text-anchor="middle" font-family="ui-sans-serif,system-ui,sans-serif" font-size="11" fill="${COLORS.text}">${escapeXML(edge.label)}</text>`;
+    out += `<text x="${midX}" y="${midY + 2}" text-anchor="middle" font-family="ui-sans-serif,system-ui,sans-serif" font-size="11" fill="${COLORS.text}">${sanitizeForSVG(edge.label)}</text>`;
   }
   return out;
 }
@@ -519,7 +588,7 @@ function toSVG(model) {
     `</marker>`,
     `</defs>`
   ].join("");
-  const titleEl = model.title ? `<text x="${width / 2}" y="22" text-anchor="middle" font-family="ui-sans-serif,system-ui,sans-serif" font-size="15" font-weight="700" fill="${COLORS.text}">${escapeXML(model.title)}</text>` : "";
+  const titleEl = model.title ? `<text x="${width / 2}" y="22" text-anchor="middle" font-family="ui-sans-serif,system-ui,sans-serif" font-size="15" font-weight="700" fill="${COLORS.text}">${sanitizeForSVG(model.title)}</text>` : "";
   const edges = model.edges.map((e) => renderEdge(e, boxes, model.variant, model.nodes)).join("\n");
   const nodes = model.nodes.map((n) => {
     const b = boxes.get(n.id);
@@ -536,7 +605,9 @@ ${nodes}
 }
 async function toPNG(model) {
   if (typeof document === "undefined") {
-    throw new Error("toPNG requires a browser environment. For Node/Bun server use, pipe toSVG() through @resvg/resvg-js.");
+    throw new Error(
+      "toPNG requires a browser environment. For Node/Bun server use, pipe toSVG() through @resvg/resvg-js."
+    );
   }
   const svg = toSVG(model);
   const blob = new Blob([svg], { type: "image/svg+xml" });
@@ -552,7 +623,10 @@ async function toPNG(model) {
       ctx.scale(scale, scale);
       ctx.drawImage(img, 0, 0);
       URL.revokeObjectURL(url);
-      canvas.toBlob((b) => b ? resolve(b) : reject(new Error("Canvas toBlob failed")), "image/png");
+      canvas.toBlob(
+        (b) => b ? resolve(b) : reject(new Error("Canvas toBlob failed")),
+        "image/png"
+      );
     };
     img.onerror = () => {
       URL.revokeObjectURL(url);
@@ -649,7 +723,13 @@ var SequenceBuilder = class {
     this.model.addActor(from);
     this.model.addActor(to);
     const messages = this.model.toJSON().messages ?? [];
-    this.model.addMessage({ id: nextId("m", messages), from, to, label, style: options.style ?? "solid" });
+    this.model.addMessage({
+      id: nextId("m", messages),
+      from,
+      to,
+      label,
+      style: options.style ?? "solid"
+    });
     return this;
   }
   /** Convenience for a `dashed`-style return message. */
@@ -677,6 +757,31 @@ function sequence(title) {
   return new SequenceBuilder(title);
 }
 
+// src/core/sanitize.ts
+var MAX_LABEL_LENGTH = 2e3;
+var MAX_NODES = 500;
+var MAX_EDGES = 2e3;
+var MAX_ACTORS = 100;
+var MAX_MESSAGES = 2e3;
+var MAX_IMPORT_LENGTH = 2 * 1024 * 1024;
+function sanitizeLabel(raw) {
+  let s = raw;
+  s = s.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "");
+  s = s.replace(/<\/?[a-zA-Z][^>]*>/g, "");
+  s = s.replace(/\b(?:javascript|data|vbscript)\s*:/gi, "");
+  s = s.replace(/\bon[a-z]+\s*=/gi, "");
+  if (s.length > MAX_LABEL_LENGTH) {
+    s = s.slice(0, MAX_LABEL_LENGTH);
+  }
+  return s;
+}
+function sanitizeURL(url) {
+  const trimmed = url.trim();
+  if (trimmed.startsWith("/") || trimmed.startsWith("#")) return trimmed;
+  if (/^https?:\/\//i.test(trimmed) || /^mailto:/i.test(trimmed)) return trimmed;
+  return void 0;
+}
+
 // src/importers/mermaid.ts
 function parseNodeDecl(raw) {
   const patterns = [
@@ -688,7 +793,7 @@ function parseNodeDecl(raw) {
   ];
   for (const [re, shape] of patterns) {
     const m = raw.match(re);
-    if (m) return { id: m[1], label: m[2].replace(/^["']|["']$/g, ""), shape };
+    if (m) return { id: m[1], label: sanitizeLabel(m[2].replace(/^["']|["']$/g, "")), shape };
   }
   return null;
 }
@@ -703,8 +808,11 @@ function parseFlowchart(lines) {
   const model = new Model("flowchart");
   const nodeMap = /* @__PURE__ */ new Map();
   const groupStack = [];
+  let edgeCount = 0;
   const ensureNode = (id, group) => {
     if (!nodeMap.has(id)) {
+      if (nodeMap.size >= MAX_NODES)
+        throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_NODES} nodes`);
       nodeMap.set(id, true);
       const metadata = group ? { group } : void 0;
       model.addNode({ id, label: id, shape: "rectangle", ...metadata ? { metadata } : {} });
@@ -713,7 +821,8 @@ function parseFlowchart(lines) {
   for (const line of lines) {
     const trimmed = line.trim();
     if (!trimmed) continue;
-    if (trimmed.startsWith("%%") || trimmed.startsWith("graph") || trimmed.startsWith("flowchart") || trimmed.startsWith("click ") || trimmed.startsWith("classDef ") || trimmed.startsWith("class ") || trimmed.startsWith("style ") || trimmed.startsWith("linkStyle ")) continue;
+    if (trimmed.startsWith("%%") || trimmed.startsWith("graph") || trimmed.startsWith("flowchart") || trimmed.startsWith("click ") || trimmed.startsWith("classDef ") || trimmed.startsWith("class ") || trimmed.startsWith("style ") || trimmed.startsWith("linkStyle "))
+      continue;
     const subgraphOpen = trimmed.match(/^subgraph\s+(\S+)/i);
     if (subgraphOpen) {
       groupStack.push(subgraphOpen[1]);
@@ -729,12 +838,15 @@ function parseFlowchart(lines) {
       const fromRaw = edgeMatch[1].trim();
       const connector = edgeMatch[2];
       const label = edgeMatch[3]?.replace(/^["']|["']$/g, "");
+      const sanitizedLabel = label ? sanitizeLabel(label) : void 0;
       const toRaw = edgeMatch[4].trim();
       const style = detectStyle(connector);
       const arrowhead = detectArrowhead(connector);
       const fromNode = parseNodeDecl(fromRaw);
       const toNode = parseNodeDecl(toRaw);
       if (fromNode && !nodeMap.has(fromNode.id)) {
+        if (nodeMap.size >= MAX_NODES)
+          throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_NODES} nodes`);
         nodeMap.set(fromNode.id, true);
         const metadata = currentGroup ? { group: currentGroup } : void 0;
         model.addNode({ ...fromNode, ...metadata ? { metadata } : {} });
@@ -742,19 +854,24 @@ function parseFlowchart(lines) {
         ensureNode(fromRaw.replace(/\W.*/, ""), currentGroup);
       }
       if (toNode && !nodeMap.has(toNode.id)) {
+        if (nodeMap.size >= MAX_NODES)
+          throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_NODES} nodes`);
         nodeMap.set(toNode.id, true);
         const metadata = currentGroup ? { group: currentGroup } : void 0;
         model.addNode({ ...toNode, ...metadata ? { metadata } : {} });
       } else if (!toNode) {
         ensureNode(toRaw.replace(/\W.*/, ""), currentGroup);
       }
+      if (edgeCount >= MAX_EDGES)
+        throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_EDGES} edges`);
+      edgeCount++;
       const fromId = fromNode?.id ?? fromRaw.replace(/\W.*/, "");
       const toId = toNode?.id ?? toRaw.replace(/\W.*/, "");
       model.addEdge({
         id: nextId("e", model.toJSON().edges),
         from: fromId,
         to: toId,
-        ...label ? { label } : {},
+        ...sanitizedLabel ? { label: sanitizedLabel } : {},
         style,
         ...arrowhead === "none" ? { arrowhead } : {}
       });
@@ -762,6 +879,8 @@ function parseFlowchart(lines) {
     }
     const nodeDecl = parseNodeDecl(trimmed);
     if (nodeDecl && !nodeMap.has(nodeDecl.id)) {
+      if (nodeMap.size >= MAX_NODES)
+        throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_NODES} nodes`);
       nodeMap.set(nodeDecl.id, true);
       const metadata = currentGroup ? { group: currentGroup } : void 0;
       model.addNode({ ...nodeDecl, ...metadata ? { metadata } : {} });
@@ -771,34 +890,56 @@ function parseFlowchart(lines) {
 }
 function parseSequence(lines, title) {
   const model = new Model("sequence", title);
+  let actorCount = 0;
+  let messageCount = 0;
+  const safeAddActor = (name) => {
+    const safeName = sanitizeLabel(name);
+    if (!model.toJSON().actors?.includes(safeName)) {
+      if (actorCount >= MAX_ACTORS)
+        throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_ACTORS} actors`);
+      actorCount++;
+    }
+    model.addActor(safeName);
+    return safeName;
+  };
   for (const line of lines) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("sequenceDiagram") || trimmed.startsWith("%%")) continue;
     const participantMatch = trimmed.match(/^participant\s+(.+)$/i);
     if (participantMatch) {
-      model.addActor(participantMatch[1].trim());
+      safeAddActor(participantMatch[1].trim());
       continue;
     }
     const actorMatch = trimmed.match(/^actor\s+(.+)$/i);
     if (actorMatch) {
-      model.addActor(actorMatch[1].trim());
+      safeAddActor(actorMatch[1].trim());
       continue;
     }
     const msgMatch = trimmed.match(/^(.+?)\s*(-->>|->>|-->|->)\s*(.+?):\s*(.+)$/);
     if (msgMatch) {
-      const from = msgMatch[1].trim();
+      const from = safeAddActor(msgMatch[1].trim());
       const arrow = msgMatch[2];
-      const to = msgMatch[3].trim();
-      const label = msgMatch[4].trim();
-      model.addActor(from);
-      model.addActor(to);
+      const to = safeAddActor(msgMatch[3].trim());
+      const label = sanitizeLabel(msgMatch[4].trim());
+      if (messageCount >= MAX_MESSAGES)
+        throw new Error(`Import aborted: diagram exceeds the maximum of ${MAX_MESSAGES} messages`);
+      messageCount++;
       const messages = model.toJSON().messages ?? [];
-      model.addMessage({ id: nextId("m", messages), from, to, label, style: arrow.startsWith("--") ? "dashed" : "solid" });
+      model.addMessage({
+        id: nextId("m", messages),
+        from,
+        to,
+        label,
+        style: arrow.startsWith("--") ? "dashed" : "solid"
+      });
     }
   }
   return model;
 }
 function fromMermaid(mermaid) {
+  if (mermaid.length > MAX_IMPORT_LENGTH) {
+    throw new Error(`Import aborted: input exceeds the maximum of ${MAX_IMPORT_LENGTH} characters`);
+  }
   const cleaned = mermaid.replace(/mermaid\.initialize\([\s\S]*?\)\s*;?/g, "");
   const rawLines = cleaned.split("\n");
   let startIdx = 0;
@@ -830,10 +971,74 @@ function fromMermaid(mermaid) {
 }
 
 // src/importers/json.ts
+function stripDangerousKeys(obj) {
+  if (Array.isArray(obj)) return obj.map(stripDangerousKeys);
+  if (obj !== null && typeof obj === "object") {
+    const clean = {};
+    for (const [key, val] of Object.entries(obj)) {
+      if (key === "__proto__" || key === "constructor" || key === "prototype") continue;
+      clean[key] = stripDangerousKeys(val);
+    }
+    return clean;
+  }
+  return obj;
+}
 function fromJSON(json) {
-  const data = typeof json === "string" ? JSON.parse(json) : json;
-  if (!data.type || !Array.isArray(data.nodes) || !Array.isArray(data.edges)) {
-    throw new Error("Invalid DiagramModel JSON");
+  if (typeof json === "string" && json.length > MAX_IMPORT_LENGTH) {
+    throw new Error(`Import aborted: input exceeds the maximum of ${MAX_IMPORT_LENGTH} characters`);
+  }
+  const raw = typeof json === "string" ? JSON.parse(json) : json;
+  const data = stripDangerousKeys(raw);
+  if (typeof data !== "object" || data === null || Array.isArray(data)) {
+    throw new Error("Invalid DiagramModel JSON: expected an object");
+  }
+  if (data.type !== "flowchart" && data.type !== "sequence") {
+    throw new Error(`Invalid DiagramModel JSON: unknown type "${data.type}"`);
+  }
+  if (!Array.isArray(data.nodes) || !Array.isArray(data.edges)) {
+    throw new Error("Invalid DiagramModel JSON: nodes and edges must be arrays");
+  }
+  if (data.nodes.length > MAX_NODES) {
+    throw new Error(
+      `Import aborted: diagram has ${data.nodes.length} nodes, maximum is ${MAX_NODES}`
+    );
+  }
+  if (data.edges.length > MAX_EDGES) {
+    throw new Error(
+      `Import aborted: diagram has ${data.edges.length} edges, maximum is ${MAX_EDGES}`
+    );
+  }
+  if (data.actors && data.actors.length > MAX_ACTORS) {
+    throw new Error(
+      `Import aborted: diagram has ${data.actors.length} actors, maximum is ${MAX_ACTORS}`
+    );
+  }
+  if (data.messages && data.messages.length > MAX_MESSAGES) {
+    throw new Error(
+      `Import aborted: diagram has ${data.messages.length} messages, maximum is ${MAX_MESSAGES}`
+    );
+  }
+  for (const node of data.nodes) {
+    if (typeof node !== "object" || node === null || typeof node.id !== "string" || typeof node.label !== "string") {
+      throw new Error("Invalid DiagramModel JSON: each node must have string id and label");
+    }
+    node.label = sanitizeLabel(node.label);
+  }
+  for (const edge of data.edges) {
+    if (typeof edge !== "object" || edge === null || typeof edge.id !== "string" || typeof edge.from !== "string" || typeof edge.to !== "string") {
+      throw new Error("Invalid DiagramModel JSON: each edge must have string id, from, and to");
+    }
+    if (edge.label) edge.label = sanitizeLabel(edge.label);
+  }
+  if (data.actors) {
+    data.actors = data.actors.map((a) => typeof a === "string" ? sanitizeLabel(a) : a);
+  }
+  if (data.messages) {
+    for (const msg of data.messages) {
+      if (typeof msg === "object" && msg !== null && typeof msg.label === "string") {
+        msg.label = sanitizeLabel(msg.label);
+      }
+    }
   }
   return Model.fromData(data);
 }
@@ -845,6 +1050,8 @@ function fromJSON(json) {
   flowchart,
   fromJSON,
   fromMermaid,
+  sanitizeLabel,
+  sanitizeURL,
   sequence,
   toJSON,
   toMermaid,