kyy/swagger-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(Markdown): render markdown in more secure way

Browse Source 
This commit changes markdown sanitization behaviour in following way:

class, style and data-* attributes are removed by default. These attributes
open possible vulnerability vectors to attackers.

The original behavior of sanitizer (before this commit) can be enabled by *useUnsafeMarkdown* configuration option.
Use this configuration option with caution and only in cases when you know
what you're doing.
This commit is contained in:
Vladimir Gorej
2020-06-11 14:54:40 +02:00
parent 48a0b46942
commit a616cb471d
22 changed files with 83 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/core/components/auth/api-key-auth.jsx
View File

@@ -44,7 +44,7 @@ export default class ApiKeyAuth extends React.Component {
const Row = getComponent("Row")
const Col = getComponent("Col")
const AuthError = getComponent("authError")
const Markdown = getComponent( "Markdown" )
const Markdown = getComponent("Markdown", true)
const JumpToPath = getComponent("JumpToPath", true)
let value = this.getValue()
let errors = errSelectors.allErrors().filter( err => err.get("authId") === name)