API description problem

[ocdevops]

-swagger-ui version
Tested: 3.0.7-3.0.14
If you add a sample code to the API description in "pre" tags, some of the " will replace to ”

"option": {
       “hello":"demo text”
 }

[webron]

Can you provide a definition that reproduces it?

[ocdevops]

I checked it again and it only happens If I add some text before the pre tag:

"summary": "Demo API",
 "description": "Demo<br><pre>{<br/>&#9;\"demo\": \"value\",<br/>&#9;\"demo2\": \"hello\"&#9;<br>}</pre>",
"operationId": "demoAPI",

It returns:

{
  "demo": "value",
  "demo2": “hello”    
}

After I removed "Demo"

        "summary": "Demo API",
        "description": "<pre>{<br/>&#9;\"demo\": \"value\",<br/>&#9;\"demo2\": \"hello\"&#9;<br>}</pre>",
        "operationId": "demoAPI",

It returns correct response:

{
    "demo": "value",
  "demo2": "hello"    
}

[webron]

Interesting. This is all probably due to the introduced sanitizer that was introduced in #3165. We had to add to to deal with some XSS issues. Feel free to take a look, and if you have the capacity, submit a PR to improve it.

[heldersepu]

I was testing this under Swagger-Net and it seems to output the description a bit different:

"description": 
  "HelloWorld\r\n<pre>{\r\n    \"demo\": \"val\", \r\n    \"demo2\": \"hello\"\r\n}</pre>"

As you can see there are no <br/> or 	 instead it uses \r\n
@ocdevops I think that could be workaround for your issue.

[heldersepu]

@webron I submitted a PR(#4194) that changes the sanitizer...
I really do not want to break any existing functionality, and certainly not open a door for a possible XSS attack. That will look bad on my resume.

Do you have more details on the XSS issues ?

[shockey]

@heldersepu, https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet is a great jumping-off point for more information about XSS attacks!

Also, check out https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml for information on the baseline protection React provides.