fix: use url template dependency #1008

MrFix93 · 2019-08-07T12:20:39Z

We propose to use url-template instead of uri-template-lite . uri-template-lite seems to be vulnerable for a XSS attack as stated in #1007. I agree this dependency is less maintained then uri-template-lite. However, as the approach of this dependency is to generate code on runtime, probably to speed it up (therefore the '-lite'), we do not consider it 'safe'.

Also corrected a test that was not conform the spec, and detected by the new url-template dependency:

X{.list*}          X.red.green.blue

Therefore, the following test does not seems to be correct:

{ style: 'label', explode: true, expected: '.role=admin,firstName=Alex' },

should be:

{ style: 'label', explode: true, expected: '.role=admin.firstName=Alex' },

If you have any questions, let me know. We do like Redoc, but we have to comply to serious security policies.

Use a different url template dependency that does not have the XSS vulnerability as stated in Redocly#1007. Also corrected a test that was not conform the spec.

fix: use url template dependency

b95e38f

Use a different url template dependency that does not have the XSS vulnerability as stated in Redocly#1007. Also corrected a test that was not conform the spec.

MrFix93 mentioned this pull request Aug 7, 2019

Maximum call stack size exceeded #994

Closed

adamaltman requested a review from RomanHotsiy September 22, 2019 17:01

RomanHotsiy merged commit 32a464a into Redocly:master Sep 30, 2019

rafalolszewski94 mentioned this pull request Feb 11, 2020

Bumped redoc version to 2.0.0-rc.23 axnsan12/drf-yasg#543

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: use url template dependency #1008

fix: use url template dependency #1008

MrFix93 commented Aug 7, 2019

fix: use url template dependency #1008

fix: use url template dependency #1008

Conversation

MrFix93 commented Aug 7, 2019