kyy/swagger-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: anchor tag safety (via #4789)

Browse Source 
* v3.17.6

* release(3.17.6): rebuild dist

* add failing tests

* fix Link component

* fix OnlineValidatorBadge component

* switch from <a> to <Link> in operation components

* make Markdown inputs safe

* use Link component in Info block, for target safety

* add eslint rule for unsafe `target` usage
This commit is contained in:
kyle
2018-08-04 00:54:03 -07:00
committed by GitHub
parent fe5b2344c7
commit dd3afdc456
15 changed files with 354 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
test/xss/anchor-target-rel/markdown.js Normal file
View File

@@ -0,0 +1,66 @@
/* eslint-env mocha */
import React from "react"
import expect from "expect"
import { render } from "enzyme"
import Markdown from "components/providers/markdown"
import { Markdown as OAS3Markdown } from "corePlugins/oas3/wrap-components/markdown.js"
describe("Markdown Link Anchor Safety", function () {
describe("Swagger 2.0", function () {
it("sanitizes Markdown links", function () {
const str = `Hello, [here](http://google.com/) is my link`
const wrapper = render(<Markdown source={str} />)
const anchor = wrapper.find("a")
expect(anchor.attr("href")).toEqual("http://google.com/")
expect(anchor.attr("target")).toEqual("_blank")
expect(anchor.attr("rel") || "").toInclude("noopener")
expect(anchor.attr("rel") || "").toInclude("noreferrer")
})
it("sanitizes raw HTML links", function () {
const str = `Hello, <a href="http://google.com/">here</a> is my link`
const wrapper = render(<Markdown source={str} />)
const anchor = wrapper.find("a")
expect(anchor.attr("href")).toEqual("http://google.com/")
expect(anchor.attr("rel") || "").toInclude("noopener")
expect(anchor.attr("rel") || "").toInclude("noreferrer")
})
})
describe("OAS 3", function () {
it("sanitizes Markdown links", function () {
const str = `Hello, [here](http://google.com/) is my link`
const wrapper = render(<OAS3Markdown source={str} />)
const anchor = wrapper.find("a")
expect(anchor.attr("href")).toEqual("http://google.com/")
expect(anchor.attr("target")).toEqual("_blank")
expect(anchor.attr("rel") || "").toInclude("noopener")
expect(anchor.attr("rel") || "").toInclude("noreferrer")
})
it("sanitizes raw HTML links", function () {
const str = `Hello, <a href="http://google.com/">here</a> is my link`
const wrapper = render(<OAS3Markdown source={str} />)
const anchor = wrapper.find("a")
expect(anchor.attr("href")).toEqual("http://google.com/")
expect(anchor.attr("rel") || "").toInclude("noopener")
expect(anchor.attr("rel") || "").toInclude("noreferrer")
})
})
})
function withMarkdownWrapper(str, { isOAS3 = false } = {}) {
if(isOAS3) {
return `<div class="renderedMarkdown"><p>${str}</p></div>`
}
return `<div class="markdown"><p>${str}</p>\n</div>`
}