fixed tag xss issue

bodnia · bodnia · commit a1aea70f2c64 · 2016-08-23T18:26:50.000+03:00
diff --git a/dist/css/print.css b/dist/css/print.css
@@ -832,6 +832,11 @@
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a {
   text-decoration: none;
 }
+.swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a .markdown p {
+  color: inherit;
+  padding: 0;
+  line-height: inherit;
+}
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li.access {
   color: black;
 }
diff --git a/dist/css/screen.css b/dist/css/screen.css
@@ -832,6 +832,11 @@
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a {
   text-decoration: none;
 }
+.swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a .markdown p {
+  color: inherit;
+  padding: 0;
+  line-height: inherit;
+}
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li.access {
   color: black;
 }
diff --git a/dist/swagger-ui.js b/dist/swagger-ui.js
@@ -333,9 +333,9 @@ templates['operation'] = template({"1":function(container,depth0,helpers,partial
     + alias3((helpers.sanitize || (depth0 && depth0.sanitize) || alias2).call(alias1,(depth0 != null ? depth0.encodedParentId : depth0),{"name":"sanitize","hash":{},"data":data}))
     + "/"
     + alias3((helpers.sanitize || (depth0 && depth0.sanitize) || alias2).call(alias1,(depth0 != null ? depth0.nickname : depth0),{"name":"sanitize","hash":{},"data":data}))
-    + "' class=\"toggleOperation\">"
+    + "' class=\"toggleOperation\"><span class=\"markdown\">"
     + ((stack1 = (helpers.escape || (depth0 && depth0.escape) || alias2).call(alias1,(depth0 != null ? depth0.summary : depth0),{"name":"escape","hash":{},"data":data})) != null ? stack1 : "")
-    + "</a>\n          </li>\n        </ul>\n      </div>\n      <div class='content' id='"
+    + "</span></a>\n          </li>\n        </ul>\n      </div>\n      <div class='content' id='"
     + alias3((helpers.sanitize || (depth0 && depth0.sanitize) || alias2).call(alias1,(depth0 != null ? depth0.encodedParentId : depth0),{"name":"sanitize","hash":{},"data":data}))
     + "_"
     + alias3((helpers.sanitize || (depth0 && depth0.sanitize) || alias2).call(alias1,(depth0 != null ? depth0.nickname : depth0),{"name":"sanitize","hash":{},"data":data}))
@@ -3052,7 +3052,12 @@ var _sanitize = function(html) {
 
 var sanitize =function (html) {
     var _html;
-    if( _.isUndefined(html) || _.isNull(html) || _.isNumber(html))  {
+
+    if ( _.isUndefined(html) || _.isNull(html)) {
+        return new Handlebars.SafeString('');
+    }
+
+    if (_.isNumber(html))  {
         return new Handlebars.SafeString(html);
     }
 
@@ -21695,6 +21700,14 @@ window.SwaggerUi.utils = {
         }
 
         return result;
+    },
+
+    sanitize: function(html) {
+        // Strip the script tags from the html and inline evenhandlers
+        html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
+        html = html.replace(/(on\w+="[^"]*")*(on\w+='[^']*')*(on\w+=\w*\(\w*\))*/gi, '');
+
+        return html;
     }
 };
 'use strict';
@@ -22388,7 +22401,7 @@ SwaggerUi.Views.MainView = Backbone.View.extend({
         id = id + '_' + counter;
         counter += 1;
       }
-      resource.id = id;
+      resource.id = SwaggerUi.utils.sanitize(id);
       resources[id] = resource;
       this.addResource(resource, this.model.auths);
     }
diff --git a/dist/swagger-ui.min.js b/dist/swagger-ui.min.js
diff --git a/src/main/html/css/print.css b/src/main/html/css/print.css
@@ -832,6 +832,11 @@
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a {
   text-decoration: none;
 }
+.swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a .markdown p {
+  color: inherit;
+  padding: 0;
+  line-height: inherit;
+}
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li.access {
   color: black;
 }
diff --git a/src/main/html/css/screen.css b/src/main/html/css/screen.css
@@ -832,6 +832,11 @@
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a {
   text-decoration: none;
 }
+.swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a .markdown p {
+  color: inherit;
+  padding: 0;
+  line-height: inherit;
+}
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li.access {
   color: black;
 }
diff --git a/src/main/javascript/helpers/handlebars.js b/src/main/javascript/helpers/handlebars.js
@@ -11,7 +11,12 @@ var _sanitize = function(html) {
 
 var sanitize =function (html) {
     var _html;
-    if( _.isUndefined(html) || _.isNull(html) || _.isNumber(html))  {
+
+    if ( _.isUndefined(html) || _.isNull(html)) {
+        return new Handlebars.SafeString('');
+    }
+
+    if (_.isNumber(html))  {
         return new Handlebars.SafeString(html);
     }
 
diff --git a/src/main/javascript/utils/utils.js b/src/main/javascript/utils/utils.js
@@ -68,5 +68,13 @@ window.SwaggerUi.utils = {
         }
 
         return result;
+    },
+
+    sanitize: function(html) {
+        // Strip the script tags from the html and inline evenhandlers
+        html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
+        html = html.replace(/(on\w+="[^"]*")*(on\w+='[^']*')*(on\w+=\w*\(\w*\))*/gi, '');
+
+        return html;
     }
 };
diff --git a/src/main/javascript/view/MainView.js b/src/main/javascript/view/MainView.js
@@ -96,7 +96,7 @@ SwaggerUi.Views.MainView = Backbone.View.extend({
         id = id + '_' + counter;
         counter += 1;
       }
-      resource.id = id;
+      resource.id = SwaggerUi.utils.sanitize(id);
       resources[id] = resource;
       this.addResource(resource, this.model.auths);
     }
diff --git a/src/main/less/specs.less b/src/main/less/specs.less
@@ -703,6 +703,11 @@
                                         font-size: 0.9em;
                                         a {
                                             text-decoration: none;
+                                            .markdown p {
+                                                color: inherit;
+                                                padding: 0;
+                                                line-height: inherit;
+                                            }
                                         }
                                     }
                                 }
diff --git a/src/main/template/operation.handlebars b/src/main/template/operation.handlebars
@@ -11,7 +11,7 @@
         </h3>
         <ul class='options'>
           <li>
-          <a href='#!/{{sanitize encodedParentId}}/{{sanitize nickname}}' class="toggleOperation">{{{escape summary}}}</a>
+          <a href='#!/{{sanitize encodedParentId}}/{{sanitize nickname}}' class="toggleOperation"><span class="markdown">{{{escape summary}}}</span></a>
           </li>
         </ul>
       </div>
diff --git a/src/main/template/templates.js b/src/main/template/templates.js
@@ -327,9 +327,9 @@ templates['operation'] = template({"1":function(container,depth0,helpers,partial
     + alias3((helpers.sanitize || (depth0 && depth0.sanitize) || alias2).call(alias1,(depth0 != null ? depth0.encodedParentId : depth0),{"name":"sanitize","hash":{},"data":data}))
     + "/"
     + alias3((helpers.sanitize || (depth0 && depth0.sanitize) || alias2).call(alias1,(depth0 != null ? depth0.nickname : depth0),{"name":"sanitize","hash":{},"data":data}))
-    + "' class=\"toggleOperation\">"
+    + "' class=\"toggleOperation\"><span class=\"markdown\">"
     + ((stack1 = (helpers.escape || (depth0 && depth0.escape) || alias2).call(alias1,(depth0 != null ? depth0.summary : depth0),{"name":"escape","hash":{},"data":data})) != null ? stack1 : "")
-    + "</a>\n          </li>\n        </ul>\n      </div>\n      <div class='content' id='"
+    + "</span></a>\n          </li>\n        </ul>\n      </div>\n      <div class='content' id='"
     + alias3((helpers.sanitize || (depth0 && depth0.sanitize) || alias2).call(alias1,(depth0 != null ? depth0.encodedParentId : depth0),{"name":"sanitize","hash":{},"data":data}))
     + "_"
     + alias3((helpers.sanitize || (depth0 && depth0.sanitize) || alias2).call(alias1,(depth0 != null ? depth0.nickname : depth0),{"name":"sanitize","hash":{},"data":data}))

Original file line number	Diff line number	Diff line change
`@@ -832,6 +832,11 @@`
`832`	`832`	`.swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a {`
`833`	`833`	`text-decoration: none;`
`834`	`834`	`}`
	`835`	`+.swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a .markdown p {`
	`836`	`+ color: inherit;`
	`837`	`+ padding: 0;`
	`838`	`+ line-height: inherit;`
	`839`	`+}`
`835`	`840`	`.swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li.access {`
`836`	`841`	`color: black;`
`837`	`842`	`}`
Original file line number	Diff line number	Diff line change
`@@ -68,5 +68,13 @@ window.SwaggerUi.utils = {`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`return result;`
	`71`	`+ },`
	`72`	`+`
	`73`	`+ sanitize: function(html) {`
	`74`	`+ // Strip the script tags from the html and inline evenhandlers`
	`75`	`+ html = html.replace(/<script\b[^<](?:(?!<\/script>)<[^<])*<\/script>/gi, '');`
	`76`	`+ html = html.replace(/(on\w+="[^"]")(on\w+='[^']')(on\w+=\w\(\w\))*/gi, '');`
	`77`	`+`
	`78`	`+ return html;`
`71`	`79`	`}`
`72`	`80`	`};`
Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ SwaggerUi.Views.MainView = Backbone.View.extend({`
`96`	`96`	`id = id + '_' + counter;`
`97`	`97`	`counter += 1;`
`98`	`98`	`}`
`99`		`- resource.id = id;`
	`99`	`+ resource.id = SwaggerUi.utils.sanitize(id);`
`100`	`100`	`resources[id] = resource;`
`101`	`101`	`this.addResource(resource, this.model.auths);`
`102`	`102`	`}`
Original file line number	Diff line number	Diff line change
`@@ -703,6 +703,11 @@`
`703`	`703`	`font-size: 0.9em;`
`704`	`704`	`a {`
`705`	`705`	`text-decoration: none;`
	`706`	`+ .markdown p {`
	`707`	`+ color: inherit;`
	`708`	`+ padding: 0;`
	`709`	`+ line-height: inherit;`
	`710`	`+ }`
`706`	`711`	`}`
`707`	`712`	`}`
`708`	`713`	`}`