fix: sanitize server description to avoid xss attacks

Author: carowright

demo/W-10881270/W-10881270.json

@@ -0,0 +1,22 @@
+{
+  "asyncapi": "2.0.0",
+  "info": {
+    "title": "asyncapijson",
+    "version": "1.0.1",
+    "description": "some description"
+  },
+  "servers": {
+    "server1": {
+      "url": "https://server1.com/",
+      "protocol": "https",
+      "protocolVersion": "1"
+    },
+    "server2": {
+      "url": "https://server2.com",
+      "protocol": "https",
+      "protocolVersion": "1",
+      "description":"XSS_IS_HERE<img src=x onerror=alert(document.domain)>"
+    }
+  },
+  "channels": {}
+}

demo/apis.json

@@ -10,6 +10,7 @@
   "no-endpoints/no-endpoints.raml": "RAML 1.0",
   "google-drive-api/google-drive-api.raml": "RAML 1.0",
   "async-api/async-api.yaml": "ASYNC 2.0",
+  "W-10881270/W-10881270.json": "ASYNC 2.0",
   "exchange-experience-api/exchange-experience-api.raml": "RAML 0.8",
   "multiple-servers/multiple-servers.yaml": { "type": "OAS 3.0", "mime": "application/yaml" },
   "APIC-641/APIC-641.yaml": { "type": "OAS 3.0", "mime": "application/yaml" },

demo/index.js

@@ -26,6 +26,7 @@ class ApiDemo extends ApiDemoPage {
       ['multiple-servers', 'Multiple servers'],
       ['async-api', 'AsyncAPI'],
       ['APIC-641', 'APIC-641'],
+      ['W-10881270', 'W-10881270'],
     ].map(
       ([file, label]) => html`
         <anypoint-item data-src="${file}-compact.json">${label}</anypoint-item>

src/ApiSummary.js

@@ -412,7 +412,7 @@ export class ApiSummary extends AmfHelperMixin(LitElement) {
     const description = this._computeDescription(server);
     return html`<li>
       ${uri}
-      <arc-marked .markdown=${description} class="server-description"></arc-marked>
+      <arc-marked .markdown=${description} class="server-description" sanitize></arc-marked>
     </li>`;
   }