1 files changed, 17 insertions, 14 deletions

diff --git a/app/assets/javascripts/drawio/drawio_editor.js b/app/assets/javascripts/drawio/drawio_editor.js
index 06e7f536426..9668c2835ce 100644
--- a/app/assets/javascripts/drawio/drawio_editor.js
+++ b/app/assets/javascripts/drawio/drawio_editor.js
@@ -9,6 +9,7 @@ import {
   DRAWIO_FRAME_ID,
   DIAGRAM_BACKGROUND_COLOR,
   DRAWIO_IFRAME_TIMEOUT,
+  DIAGRAM_MAX_SIZE,
 } from './constants';
 
 function updateDrawioEditorState(drawIOEditorState, data) {
@@ -109,14 +110,24 @@ async function loadExistingDiagram(drawIOEditorState, editorFacade) {
   try {
     diagram = await editorFacade.getDiagram();
   } catch (e) {
-    throw new Error(__('Cannot load the diagram into the draw.io editor'));
+    throw new Error(__('Cannot load the diagram into the diagrams.net editor'));
   }
 
   if (diagram) {
-    const { diagramMarkdown, filename, diagramSvg, contentType } = diagram;
+    const { diagramMarkdown, filename, diagramSvg, contentType, diagramURL } = diagram;
+    const resolvedURL = new URL(diagramURL, window.location.origin);
+    const diagramSvgSize = new Blob([diagramSvg]).size;
 
     if (contentType !== 'image/svg+xml') {
-      throw new Error(__('The selected image is not a diagram'));
+      throw new Error(__('The selected image is not a valid SVG diagram'));
+    }
+
+    if (resolvedURL.origin !== window.location.origin) {
+      throw new Error(__('The selected image is not an asset uploaded in the application'));
+    }
+
+    if (diagramSvgSize > DIAGRAM_MAX_SIZE) {
+      throw new Error(__('The selected image is too large.'));
     }
 
     updateDrawioEditorState(drawIOEditorState, {
@@ -142,7 +153,7 @@ async function prepareEditor(drawIOEditorState, editorFacade) {
   try {
     await loadExistingDiagram(drawIOEditorState, editorFacade);
 
-    iframe.style.visibility = '';
+    iframe.style.visibility = 'visible';
     iframe.style.cursor = '';
     window.scrollTo(0, 0);
   } catch (e) {
@@ -212,23 +223,15 @@ function createEditorIFrame(drawIOEditorState) {
   setAttributes(iframe, {
     id: DRAWIO_FRAME_ID,
     src: DRAWIO_EDITOR_URL,
+    class: 'drawio-editor',
   });
 
-  iframe.style.position = 'absolute';
-  iframe.style.border = '0';
-  iframe.style.top = '0px';
-  iframe.style.left = '0px';
-  iframe.style.width = '100%';
-  iframe.style.height = '100%';
-  iframe.style.zIndex = '1100';
-  iframe.style.visibility = 'hidden';
-
   document.body.appendChild(iframe);
 
   setTimeout(() => {
     if (drawIOEditorState.initialized === false) {
       disposeDrawioEditor(drawIOEditorState);
-      createAlert({ message: __('The draw.io editor could not be loaded.') });
+      createAlert({ message: __('The diagrams.net editor could not be loaded.') });
     }
   }, DRAWIO_IFRAME_TIMEOUT);