Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Fix issue #1866, XSS in content types from schema. #1867

Merged
merged 1 commit into from
Jan 13, 2016
Merged

Fix issue #1866, XSS in content types from schema. #1867

merged 1 commit into from
Jan 13, 2016
+25 −25

Conversation

joevennix
Copy link
Contributor

See #1866.

To reproduce, use the example JSON, but change one of the "consumes" keys like so:

"consumes" =>["application/json","application/xml","\"><script>alert(1)</script>"]

Or:

"produces" =>["application/xml","application/json","\"><script>alert(1)</script>"]

You will see the alert dialog execute.

@joevennix joevennix mentioned this pull request Jan 13, 2016
Merged
@joevennix
Copy link
Contributor Author

Should I be committing the built files in dist/ in my PRs? Or should someone else rebuild them for me?

@fehguy
Copy link
Contributor

fehguy commented Jan 13, 2016

Thanks @joevennix. In general, yes please commit the dist folder so users can grab swagger-ui without rebuilding. For this one, I'm happy to do it for you. Thanks!

fehguy added a commit that referenced this pull request Jan 13, 2016
@fehguy
Merge pull request #1867 from joevennix/fix-content-type-xss
31709fc 
Fix issue #1866, XSS in content types from schema.
@fehguy fehguy merged commit 31709fc into swagger-api:master Jan 13, 2016
@fehguy fehguy mentioned this pull request Jan 13, 2016
Closed
vincent-zurczak pushed a commit to roboconf/swagger-ui that referenced this pull request Aug 19, 2016
@fehguy
Merge pull request swagger-api#1867 from joevennix/fix-content-type-xss
607e195 
Fix issue swagger-api#1866, XSS in content types from schema.
@fehguy fehguy modified the milestone: v2.2.1 Aug 23, 2016
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.2.1
Development

Successfully merging this pull request may close these issues.
2 participants
@joevennix @fehguy