replaced satinize with sanitize-html

Author: bodnia

.jshintrc

@@ -32,6 +32,7 @@
     "SwaggerUi": false,
     "jsyaml": false,
     "define": false,
+    "sanitizeHtml": false,
 
     // Global object
     // TODO: remove these

dist/index.html

@@ -12,6 +12,7 @@
   <link href='css/print.css' media='print' rel='stylesheet' type='text/css'/>
 
   <script src='lib/object-assign-pollyfill.js' type='text/javascript'></script>
+  <script src='lib/sanitize-html.min.js' type='text/javascript'></script>
   <script src='lib/jquery-1.8.0.min.js' type='text/javascript'></script>
   <script src='lib/jquery.slideto.min.js' type='text/javascript'></script>
   <script src='lib/jquery.wiggle.min.js' type='text/javascript'></script>

dist/swagger-ui.js

@@ -12,6 +12,7 @@
   <link href='css/print.css' media='print' rel='stylesheet' type='text/css'/>
 
   <script src='lib/object-assign-pollyfill.js' type='text/javascript'></script>
+  <script src='lib/sanitize-html.min.js' type='text/javascript'></script>
   <script src='lib/jquery-1.8.0.min.js' type='text/javascript'></script>
   <script src='lib/jquery.slideto.min.js' type='text/javascript'></script>
   <script src='lib/jquery.wiggle.min.js' type='text/javascript'></script>

dist/swagger-ui.min.js

@@ -1,34 +1,22 @@
 'use strict';
 /*jslint eqeq: true*/
 
-var _sanitize = function(html) {
-    // Strip the script tags from the html and inline evenhandlers
-    html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
-    html = html.replace(/(on\w+="[^"]*")*(on\w+='[^']*')*(on\w+=\w*\(\w*\))*/gi, '');
+Handlebars.registerHelper('sanitize', function (text) {
+    var result;
 
-    return html;
-};
+    if (text === undefined) { return ''; }
 
-var sanitize =function (html) {
-    var _html;
-
-    if ( _.isUndefined(html) || _.isNull(html)) {
-        return new Handlebars.SafeString('');
-    }
-
-    if (_.isNumber(html))  {
-        return new Handlebars.SafeString(html);
-    }
-
-    if (_.isObject(html)){
-        _html = JSON.stringify(html);
-        return new Handlebars.SafeString(JSON.parse(_sanitize(_html)));
-    }
-
-    return new Handlebars.SafeString(_sanitize(html));
-};
+    result = sanitizeHtml(text, {
+        allowedTags: [ 'div', 'span', 'b', 'i', 'em', 'strong', 'a' ],
+        allowedAttributes: {
+            'div': [ 'class' ],
+            'span': [ 'class' ],
+            'a': [ 'href' ]
+        }
+    });
 
-Handlebars.registerHelper('sanitize', sanitize);
+    return new Handlebars.SafeString(result);
+});
 
 Handlebars.registerHelper('renderTextParam', function(param) {
     var result, type = 'text', idAtt = '';
@@ -55,7 +43,7 @@ Handlebars.registerHelper('renderTextParam', function(param) {
         idAtt = ' id=\'' + valueId + '\'';
     }
 
-    defaultValue = sanitize(defaultValue);
+    defaultValue = sanitizeHtml(defaultValue);
 
     if(isArray) {
         result = '<textarea class=\'body-textarea' + (param.required ? ' required' : '') + '\' name=\'' + name + '\'' + idAtt + dataVendorExtensions;

lib/sanitize-html.min.js

@@ -96,7 +96,7 @@ SwaggerUi.Views.MainView = Backbone.View.extend({
         id = id + '_' + counter;
         counter += 1;
       }
-      resource.id = SwaggerUi.utils.sanitize(id);
+      resource.id = sanitizeHtml(id);
       resources[id] = resource;
       this.addResource(resource, this.model.auths);
     }