Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Markdown descriptions of API calls allows for XSS #1864

Closed
joevennix opened this issue Jan 12, 2016 · 2 comments
Closed

Markdown descriptions of API calls allows for XSS #1864

joevennix opened this issue Jan 12, 2016 · 2 comments
Labels
cat: security P1 type: bug
Milestone
v2.2.1

Comments

@joevennix
Copy link
Contributor

To reproduce, insert a <script> into the description of a method in the JSON schema. An example sinatra server is attached. To reproduce, go to the URL:

http://swaggerhost/index.html?url=http://localhost:4567/swagger.json#!/pet/getPetById

And you will see an alert().

The sinatra server script can be downloaded here:

https://gist.github.com/joevennix/effa381d5fa520662b07
@joevennix
Copy link
Contributor Author

It would be a good idea to move any inline <script> tags into their own files, and add a CSP <meta> tag that prevents inline scripts from running. That would prevent most of these reflected XSS vulns.

@bodnia bodnia mentioned this issue Aug 18, 2016
Merged
@fehguy
Copy link
Contributor

fehguy commented Aug 23, 2016

Fixed in a906cff

@fehguy fehguy closed this as completed Aug 23, 2016
@fehguy fehguy added this to the v2.2.1 milestone Aug 23, 2016
@fehguy fehguy mentioned this issue Jan 25, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cat: security P1 type: bug
Projects
None yet
Milestone
v2.2.1
Development

No branches or pull requests
3 participants
@webron @fehguy @joevennix