kyy/swagger-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Escape curl command to fix XSS vulnerability.

Browse Source
This commit is contained in:
joev
2016-01-12 23:31:59 -06:00
parent 3abf8d2c0d
commit 331d2be070
3 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
dist/swagger-ui.js vendored
View File

@@ -25241,10 +25241,10 @@ SwaggerUi.Views.OperationView = Backbone.View.extend({
this.parentId = this.model.parentId;
this.nickname = this.model.nickname;
this.model.encodedParentId = encodeURIComponent(this.parentId);
if (opts.swaggerOptions) {
this.model.defaultRendering = opts.swaggerOptions.defaultModelRendering;
if (opts.swaggerOptions.showRequestHeaders) {
this.model.showRequestHeaders = true;
}
@@ -25497,7 +25497,7 @@ SwaggerUi.Views.OperationView = Backbone.View.extend({
// This is required for JsonEditor to display the root properly
if(!param.schema.type){
param.schema.type = 'object';
}
}
// This is the title that will be used by JsonEditor for the root
// Since we already display the parameter's name in the Parameter column
// We set this to space, we can't set it to null or space otherwise JsonEditor
@@ -25505,7 +25505,7 @@ SwaggerUi.Views.OperationView = Backbone.View.extend({
if(!param.schema.title){
param.schema.title = ' ';
}
}
}
var paramView = new SwaggerUi.Views.ParameterView({
model: param,
@@ -25926,7 +25926,7 @@ SwaggerUi.Views.OperationView = Backbone.View.extend({
// adds curl output
var curlCommand = this.model.asCurl(this.map, {responseContentType: contentType});
curlCommand = curlCommand.replace('!', '!');
$( 'div.curl', $(this.el)).html('<pre>' + curlCommand + '</pre>');
$( 'div.curl', $(this.el)).html('<pre>' + _.escape(curlCommand) + '</pre>');
// only highlight the response if response is less than threshold, default state is highlight response
var opts = this.options.swaggerOptions;

6
dist/swagger-ui.min.js vendored
View File

File diff suppressed because one or more lines are too long

10
src/main/javascript/view/OperationView.js
View File

@@ -19,10 +19,10 @@ SwaggerUi.Views.OperationView = Backbone.View.extend({
this.parentId = this.model.parentId;
this.nickname = this.model.nickname;
this.model.encodedParentId = encodeURIComponent(this.parentId);
if (opts.swaggerOptions) {
this.model.defaultRendering = opts.swaggerOptions.defaultModelRendering;
if (opts.swaggerOptions.showRequestHeaders) {
this.model.showRequestHeaders = true;
}
@@ -275,7 +275,7 @@ SwaggerUi.Views.OperationView = Backbone.View.extend({
// This is required for JsonEditor to display the root properly
if(!param.schema.type){
param.schema.type = 'object';
}
}
// This is the title that will be used by JsonEditor for the root
// Since we already display the parameter's name in the Parameter column
// We set this to space, we can't set it to null or space otherwise JsonEditor
@@ -283,7 +283,7 @@ SwaggerUi.Views.OperationView = Backbone.View.extend({
if(!param.schema.title){
param.schema.title = ' ';
}
}
}
var paramView = new SwaggerUi.Views.ParameterView({
model: param,
@@ -704,7 +704,7 @@ SwaggerUi.Views.OperationView = Backbone.View.extend({
// adds curl output
var curlCommand = this.model.asCurl(this.map, {responseContentType: contentType});
curlCommand = curlCommand.replace('!', '&#33;');
$( 'div.curl', $(this.el)).html('<pre>' + curlCommand + '</pre>');
$( 'div.curl', $(this.el)).html('<pre>' + _.escape(curlCommand) + '</pre>');
// only highlight the response if response is less than threshold, default state is highlight response
var opts = this.options.swaggerOptions;