fixed tag xss issue

src/main/javascript/helpers/handlebars.js

@@ -11,7 +11,12 @@ var _sanitize = function(html) {
 
 var sanitize =function (html) {
     var _html;
-    if( _.isUndefined(html) || _.isNull(html) || _.isNumber(html))  {
+
+    if ( _.isUndefined(html) || _.isNull(html)) {
+        return new Handlebars.SafeString('');
+    }
+
+    if (_.isNumber(html))  {
         return new Handlebars.SafeString(html);
     }
 

src/main/javascript/utils/utils.js

@@ -68,5 +68,13 @@ window.SwaggerUi.utils = {
         }
 
         return result;
+    },
+
+    sanitize: function(html) {
+        // Strip the script tags from the html and inline evenhandlers
+        html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
+        html = html.replace(/(on\w+="[^"]*")*(on\w+='[^']*')*(on\w+=\w*\(\w*\))*/gi, '');
+
+        return html;
     }
 };

src/main/javascript/view/MainView.js

@@ -96,7 +96,7 @@ SwaggerUi.Views.MainView = Backbone.View.extend({
         id = id + '_' + counter;
         counter += 1;
       }
-      resource.id = id;
+      resource.id = SwaggerUi.utils.sanitize(id);
       resources[id] = resource;
       this.addResource(resource, this.model.auths);
     }