Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix issue #1866, XSS in content types from schema. #1867

Merged
merged 1 commit into from
Jan 13, 2016

Conversation

joevennix
Copy link
Contributor

See #1866.

To reproduce, use the example JSON, but change one of the "consumes" keys like so:

"consumes" =>["application/json","application/xml","\"><script>alert(1)</script>"]

Or:

"produces" =>["application/xml","application/json","\"><script>alert(1)</script>"]

You will see the alert dialog execute.

@joevennix
Copy link
Contributor Author

Should I be committing the built files in dist/ in my PRs? Or should someone else rebuild them for me?

@fehguy
Copy link
Contributor

fehguy commented Jan 13, 2016

Thanks @joevennix. In general, yes please commit the dist folder so users can grab swagger-ui without rebuilding. For this one, I'm happy to do it for you. Thanks!

fehguy added a commit that referenced this pull request Jan 13, 2016
Fix issue #1866, XSS in content types from schema.
@fehguy fehguy merged commit 31709fc into swagger-api:master Jan 13, 2016
vincent-zurczak pushed a commit to roboconf/swagger-ui that referenced this pull request Aug 19, 2016
@fehguy fehguy modified the milestone: v2.2.1 Aug 23, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants