kyy/swagger-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix potential self XSS in request url.

Browse Source
This commit is contained in:
Samuel Reed
2014-08-24 08:38:11 -04:00
parent ec81d25cb0
commit 5da60bfa62
3 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
dist/swagger-ui.js vendored
View File

@@ -1810,7 +1810,8 @@ helpers = this.merge(helpers, Handlebars.helpers); data = data || {};
} }
} }
this.invocationUrl = this.model.supportHeaderParams() ? (headerParams = this.model.getHeaderParams(map), this.model.urlify(map, false)) : this.model.urlify(map, true); this.invocationUrl = this.model.supportHeaderParams() ? (headerParams = this.model.getHeaderParams(map), this.model.urlify(map, false)) : this.model.urlify(map, true);
$(".request_url", $(this.el)).html("<pre>" + this.invocationUrl + "</pre>"); $(".request_url", $(this.el)).html("<pre></pre>");
$(".request_url pre", $(this.el)).text(this.invocationUrl);
obj = { obj = {
type: this.model.method, type: this.model.method,
url: this.invocationUrl, url: this.invocationUrl,
@@ -2006,7 +2007,8 @@ helpers = this.merge(helpers, Handlebars.helpers); data = data || {};
pre = $('<pre class="json" />').append(code); pre = $('<pre class="json" />').append(code);
} }
response_body = pre; response_body = pre;
$(".request_url", $(this.el)).html("<pre>" + url + "</pre>"); $(".request_url", $(this.el)).html("<pre></pre>");
$(".request_url pre", $(this.el)).text(url);
$(".response_code", $(this.el)).html("<pre>" + response.status + "</pre>"); $(".response_code", $(this.el)).html("<pre>" + response.status + "</pre>");
$(".response_body", $(this.el)).html(response_body); $(".response_body", $(this.el)).html(response_body);
$(".response_headers", $(this.el)).html("<pre>" + _.escape(JSON.stringify(response.headers, null, " ")).replace(/\n/g, "<br>") + "</pre>"); $(".response_headers", $(this.el)).html("<pre>" + _.escape(JSON.stringify(response.headers, null, " ")).replace(/\n/g, "<br>") + "</pre>");

2
dist/swagger-ui.min.js vendored
View File

File diff suppressed because one or more lines are too long

8
src/main/coffeescript/view/OperationView.coffee
View File

@@ -186,8 +186,9 @@ class OperationView extends Backbone.View
else else
@model.urlify(map, true) @model.urlify(map, true)
$(".request_url", $(@el)).html "<pre>" + @invocationUrl + "</pre>" $(".request_url", $(@el)).html("<pre></pre>")
$(".request_url pre", $(@el)).text(@invocationUrl);
obj = obj =
type: @model.method type: @model.method
url: @invocationUrl url: @invocationUrl
@@ -356,7 +357,8 @@ class OperationView extends Backbone.View
pre = $('<pre class="json" />').append(code) pre = $('<pre class="json" />').append(code)
response_body = pre response_body = pre
$(".request_url", $(@el)).html "<pre>" + url + "</pre>" $(".request_url", $(@el)).html("<pre></pre>")
$(".request_url pre", $(@el)).text(url);
$(".response_code", $(@el)).html "<pre>" + response.status + "</pre>" $(".response_code", $(@el)).html "<pre>" + response.status + "</pre>"
$(".response_body", $(@el)).html response_body $(".response_body", $(@el)).html response_body
$(".response_headers", $(@el)).html "<pre>" + _.escape(JSON.stringify(response.headers, null, " ")).replace(/\n/g, "<br>") + "</pre>" $(".response_headers", $(@el)).html "<pre>" + _.escape(JSON.stringify(response.headers, null, " ")).replace(/\n/g, "<br>") + "</pre>"