Skip to content

Fix issue #1866, XSS in content types from schema. #1867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 13, 2016
Merged

Fix issue #1866, XSS in content types from schema. #1867

merged 1 commit into from
Jan 13, 2016

Conversation

@joevennix
Copy link
Contributor

@joevennix joevennix commented Jan 13, 2016

See #1866.

To reproduce, use the example JSON, but change one of the "consumes" keys like so:

"consumes" =>["application/json","application/xml","\"><script>alert(1)</script>"]

Or:

"produces" =>["application/xml","application/json","\"><script>alert(1)</script>"]

You will see the alert dialog execute.

@joevennix joevennix mentioned this pull request Jan 13, 2016
Merged
@joevennix
Copy link
Contributor Author

joevennix commented Jan 13, 2016

Should I be committing the built files in dist/ in my PRs? Or should someone else rebuild them for me?

@fehguy
Copy link
Contributor

fehguy commented Jan 13, 2016

Thanks @joevennix. In general, yes please commit the dist folder so users can grab swagger-ui without rebuilding. For this one, I'm happy to do it for you. Thanks!

fehguy added a commit that referenced this pull request Jan 13, 2016
@fehguy
Merge pull request #1867 from joevennix/fix-content-type-xss
31709fc 
Fix issue #1866, XSS in content types from schema.
@fehguy fehguy merged commit 31709fc into swagger-api:master Jan 13, 2016
@fehguy fehguy mentioned this pull request Jan 13, 2016
Closed
vincent-zurczak pushed a commit to roboconf/swagger-ui that referenced this pull request Aug 19, 2016
@fehguy
Merge pull request swagger-api#1867 from joevennix/fix-content-type-xss
607e195 
Fix issue swagger-api#1866, XSS in content types from schema.
@fehguy fehguy modified the milestone: v2.2.1 Aug 23, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v2.2.1

Development

Successfully merging this pull request may close these issues.

2 participants

@joevennix @fehguy