XSS in url parameter

[mehmetaydogdu]

Here is the XSS. http://petstore.swagger.io/?url=%3Cscript%3Ealert(atob(%22SGVyZSBpcyB0aGUgWFNT%22))%3C/script%3E

The problem is in /swagger-api/swagger-ui/master/dist/swagger-ui.js
at line
$('#input_baseUrl').val(url);

[ponelat]

@mehmetaydogdu thanks for pointing this out, XSS prevention is a necessary hassle and isn't always apparent.

You were close, but the issue was in showMessage and onFailure, where we were putting the failed URL in #message-bar, using $.html. We've now changed to $.text which escapes HTML entities. This comes at the cost of not being able to show fancy messages (those with markup), but there were no cases that I could find, so nothing lost :D

[mehmetaydogdu]

Is it possible to create a tag for the fix? The latest tag is 2.1.8M1 and it contains the issue. I am using webjars.org to download the swagger and I guess it uses the tags to package.

[webron]

A tag with this fix has been created a long time ago...

[mehmetaydogdu]

Which one is the tag?

[webron]

This was fixed in 2.1.0, so any tag from 2.1.0 onward would work (including the current master).