Merge pull request #2334 from bodnia/feature/xss

fix for xss issue

Author: fehguy

dist/css/print.css

@@ -832,6 +832,11 @@
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a {
   text-decoration: none;
 }
+.swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a .markdown p {
+  color: inherit;
+  padding: 0;
+  line-height: inherit;
+}
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li.access {
   color: black;
 }

dist/css/screen.css

@@ -832,6 +832,11 @@
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a {
   text-decoration: none;
 }
+.swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a .markdown p {
+  color: inherit;
+  padding: 0;
+  line-height: inherit;
+}
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li.access {
   color: black;
 }

dist/swagger-ui.js

@@ -832,6 +832,11 @@
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a {
   text-decoration: none;
 }
+.swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a .markdown p {
+  color: inherit;
+  padding: 0;
+  line-height: inherit;
+}
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li.access {
   color: black;
 }

dist/swagger-ui.min.js

@@ -832,6 +832,11 @@
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a {
   text-decoration: none;
 }
+.swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li a .markdown p {
+  color: inherit;
+  padding: 0;
+  line-height: inherit;
+}
 .swagger-section .swagger-ui-wrap ul#resources li.resource ul.endpoints li.endpoint ul.operations li.operation div.heading ul.options li.access {
   color: black;
 }

src/main/html/css/print.css

@@ -1,17 +1,43 @@
 'use strict';
 /*jslint eqeq: true*/
 
-Handlebars.registerHelper('sanitize', function(html) {
-    // Strip the script tags from the html, and return it as a Handlebars.SafeString
+var _sanitize = function(html) {
+    // Strip the script tags from the html and inline evenhandlers
     html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
-    return new Handlebars.SafeString(html);
-});
+    html = html.replace(/(on\w+="[^"]*")*(on\w+='[^']*')*(on\w+=\w*\(\w*\))*/gi, '');
+
+    return html;
+};
+
+var sanitize =function (html) {
+    var _html;
+
+    if ( _.isUndefined(html) || _.isNull(html)) {
+        return new Handlebars.SafeString('');
+    }
+
+    if (_.isNumber(html))  {
+        return new Handlebars.SafeString(html);
+    }
+
+    if (_.isObject(html)){
+        _html = JSON.stringify(html);
+        return new Handlebars.SafeString(JSON.parse(_sanitize(_html)));
+    }
+
+    return new Handlebars.SafeString(_sanitize(html));
+};
+
+Handlebars.registerHelper('sanitize', sanitize);
 
 Handlebars.registerHelper('renderTextParam', function(param) {
     var result, type = 'text', idAtt = '';
     var paramType = param.type || param.schema && param.schema.type || '';
     var isArray = paramType.toLowerCase() === 'array' || param.allowMultiple;
     var defaultValue = isArray && Array.isArray(param.default) ? param.default.join('\n') : param.default;
+    var name = Handlebars.Utils.escapeExpression(param.name);
+    var valueId = Handlebars.Utils.escapeExpression(param.valueId);
+    paramType = Handlebars.Utils.escapeExpression(paramType);
 
     var dataVendorExtensions = Object.keys(param).filter(function(property) {
         // filter X-data- properties
@@ -21,24 +47,18 @@ Handlebars.registerHelper('renderTextParam', function(param) {
         return result += ' ' + property.substring(2, property.length) + '=\'' + param[property] + '\'';
     }, '');
 
-    if (typeof defaultValue === 'undefined') {
-        defaultValue = '';
-    }
-
     if(param.format && param.format === 'password') {
         type = 'password';
     }
 
-    if(param.valueId) {
-        idAtt = ' id=\'' + param.valueId + '\'';
+    if(valueId) {
+        idAtt = ' id=\'' + valueId + '\'';
     }
 
-    if (typeof defaultValue === 'string' || defaultValue instanceof String) {
-        defaultValue = defaultValue.replace(/'/g,'&apos;');
-    }
+    defaultValue = sanitize(defaultValue);
 
     if(isArray) {
-        result = '<textarea class=\'body-textarea' + (param.required ? ' required' : '') + '\' name=\'' + param.name + '\'' + idAtt + dataVendorExtensions;
+        result = '<textarea class=\'body-textarea' + (param.required ? ' required' : '') + '\' name=\'' + name + '\'' + idAtt + dataVendorExtensions;
         result += ' placeholder=\'Provide multiple values in new lines' + (param.required ? ' (at least one required).' : '.') + '\'>';
         result += defaultValue + '</textarea>';
     } else {
@@ -47,7 +67,7 @@ Handlebars.registerHelper('renderTextParam', function(param) {
           parameterClass += ' required';
         }
         result = '<input class=\'' + parameterClass + '\' minlength=\'' + (param.required ? 1 : 0) + '\'';
-        result += ' name=\'' + param.name +'\' placeholder=\'' + (param.required ? '(required)' : '') + '\'' + idAtt + dataVendorExtensions;
+        result += ' name=\'' + name +'\' placeholder=\'' + (param.required ? '(required)' : '') + '\'' + idAtt + dataVendorExtensions;
         result += ' type=\'' + type + '\' value=\'' + defaultValue + '\'/>';
     }
     return new Handlebars.SafeString(result);
@@ -76,3 +96,9 @@ Handlebars.registerHelper('ifCond', function (v1, operator, v2, options) {
             return options.inverse(this);
     }
 });
+
+Handlebars.registerHelper('escape', function (value) {
+    var text = Handlebars.Utils.escapeExpression(value);
+
+    return new Handlebars.SafeString(text);
+});

src/main/html/css/screen.css

@@ -68,5 +68,13 @@ window.SwaggerUi.utils = {
         }
 
         return result;
+    },
+
+    sanitize: function(html) {
+        // Strip the script tags from the html and inline evenhandlers
+        html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
+        html = html.replace(/(on\w+="[^"]*")*(on\w+='[^']*')*(on\w+=\w*\(\w*\))*/gi, '');
+
+        return html;
     }
 };

src/main/javascript/helpers/handlebars.js

@@ -96,7 +96,7 @@ SwaggerUi.Views.MainView = Backbone.View.extend({
         id = id + '_' + counter;
         counter += 1;
       }
-      resource.id = id;
+      resource.id = SwaggerUi.utils.sanitize(id);
       resources[id] = resource;
       this.addResource(resource, this.model.auths);
     }

src/main/javascript/utils/utils.js

@@ -703,6 +703,11 @@
                                         font-size: 0.9em;
                                         a {
                                             text-decoration: none;
+                                            .markdown p {
+                                                color: inherit;
+                                                padding: 0;
+                                                line-height: inherit;
+                                            }
                                         }
                                     }
                                 }