"HTML" in Response headers not properly escaped

[vanderlee]

Response headers, returned after a "Try it out", may contain characters that have special meaning in HTML, in particular the < and > characters. When displaying the response headers, this results in bad results (and possibly an XSS vulnerability).

In particular, the Link header (http://www.w3.org/wiki/LinkHeader) must contain < and > characters for valid syntax and are rendered as invisible HTML elements by swagger-ui.

Example Link header: http://localhost/api/page?limit=10&offset=8>; rel="next", <http://localhost/api/page?limit=10&offset=8>; rel="last". Rendered as "Link": "; rel=\"next\", ; rel=\"last\"",, with the <...> parts injected in the DOM but not visible.

[vanderlee]

The fix is to wrap Underscore's _.escape() function around JSON.stringify(response.headers, null, " "), which is on line 364 in https://github.com/wordnik/swagger-ui/blob/master/src/main/coffeescript/view/OperationView.coffee.

Submitted patch as pull #493, so closing this issue