kyy/swagger-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix for xss issue

Browse Source
This commit is contained in:
Anna Bodnia
2016-08-17 20:55:23 +03:00
parent 6c4ccf7a6d
commit 11f1263a62
21 changed files with 529 additions and 531 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/main/javascript/helpers/handlebars.js
View File

@@ -1,17 +1,24 @@
'use strict';
/*jslint eqeq: true*/
Handlebars.registerHelper('sanitize', function(html) {
var sanitize = function(html) {
html = html || '';
// Strip the script tags from the html, and return it as a Handlebars.SafeString
html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
html = html.replace(/(on\w+="[^"]*")*(on\w+='[^']*')*(on\w+=\w*\(\w*\))*/gi, '');
return new Handlebars.SafeString(html);
});
};
Handlebars.registerHelper('sanitize', sanitize);
Handlebars.registerHelper('renderTextParam', function(param) {
var result, type = 'text', idAtt = '';
var paramType = param.type || param.schema && param.schema.type || '';
var isArray = paramType.toLowerCase() === 'array' || param.allowMultiple;
var defaultValue = isArray && Array.isArray(param.default) ? param.default.join('\n') : param.default;
var name = Handlebars.Utils.escapeExpression(param.name);
var valueId = Handlebars.Utils.escapeExpression(param.valueId);
paramType = Handlebars.Utils.escapeExpression(paramType);
var dataVendorExtensions = Object.keys(param).filter(function(property) {
// filter X-data- properties
@@ -21,24 +28,18 @@ Handlebars.registerHelper('renderTextParam', function(param) {
return result += ' ' + property.substring(2, property.length) + '=\'' + param[property] + '\'';
}, '');
if (typeof defaultValue === 'undefined') {
defaultValue = '';
}
if(param.format && param.format === 'password') {
type = 'password';
}
if(param.valueId) {
idAtt = ' id=\'' + param.valueId + '\'';
if(valueId) {
idAtt = ' id=\'' + valueId + '\'';
}
if (typeof defaultValue === 'string' || defaultValue instanceof String) {
defaultValue = defaultValue.replace(/'/g,'&apos;');
}
defaultValue = sanitize(defaultValue);
if(isArray) {
result = '<textarea class=\'body-textarea' + (param.required ? ' required' : '') + '\' name=\'' + param.name + '\'' + idAtt + dataVendorExtensions;
result = '<textarea class=\'body-textarea' + (param.required ? ' required' : '') + '\' name=\'' + name + '\'' + idAtt + dataVendorExtensions;
result += ' placeholder=\'Provide multiple values in new lines' + (param.required ? ' (at least one required).' : '.') + '\'>';
result += defaultValue + '</textarea>';
} else {
@@ -47,7 +48,7 @@ Handlebars.registerHelper('renderTextParam', function(param) {
parameterClass += ' required';
}
result = '<input class=\'' + parameterClass + '\' minlength=\'' + (param.required ? 1 : 0) + '\'';
result += ' name=\'' + param.name +'\' placeholder=\'' + (param.required ? '(required)' : '') + '\'' + idAtt + dataVendorExtensions;
result += ' name=\'' + name +'\' placeholder=\'' + (param.required ? '(required)' : '') + '\'' + idAtt + dataVendorExtensions;
result += ' type=\'' + type + '\' value=\'' + defaultValue + '\'/>';
}
return new Handlebars.SafeString(result);
@@ -76,3 +77,9 @@ Handlebars.registerHelper('ifCond', function (v1, operator, v2, options) {
return options.inverse(this);
}
});
Handlebars.registerHelper('escape', function (value) {
var text = Handlebars.Utils.escapeExpression(value);
return new Handlebars.SafeString(text);
});