This commit changes markdown sanitization behaviour in following way:
class, style and data-* attributes are removed by default. These attributes
open possible vulnerability vectors to attackers.
The original behavior of sanitizer (before this commit) can be enabled by *useUnsafeMarkdown* configuration option.
Use this configuration option with caution and only in cases when you know
what you're doing.
* add `security-audit` script
* npm audit fix
* remove nyc
* nightwatch@1
this breaks the test suite, but it appears to have already regressed. leaving it for another day, TODO: open a backlog ticket
* add `security-audit` script
* disable mocha exclusivity
* update package-lock.json
* cypress@3.4.0
* `npm audit fix`
* @release-it/conventional-changelog@1.1.0
* release-it@12
* Add the withCredentials configuration key
It enables passing credentials in CORS requests. e.g. Cookies and
Authorization headers.
* Improve withCredentials documentation
* Add unit tests for the withCredentials config
* Update configuration.md
* Update configuration.md
* only set `withCredentials` Fetch flag if the config value is truthy
there are some workarounds in the wild today that involve setting `withCredentials` on `system.fn.fetch` directly.
this approach avoids mangling those existing workarounds!
* add more test cases
* Update configs-wrap-actions.js
* Update index.js
* add `onFound` callback to schemas
* add warning to method docs (for #4957)
* implement Docker OAuth2 init block support
* update docs
* add OAUTH_SCOPE_SEPARATOR
* drop OAuth env from Dockerfile and run script
* don't indent the first oauth block line
* drop unused `dedent` import
* touch up warning message
* add more test cases
* return an empty block if no OAuth content is generated
* fix broken doc line
* Updated 'urls' (An array of API definition objects) description.
Updated 'urls' (An array of API definition objects) description to show an actual object array containing two (2) urls, clarifying this configuration-option.
* urls is an array, not a string
* extend getExtensions
Add optional param to getExtensions that can retrieve more stuff
* Add getCommonExtensions
* Trim trailing spaces
* Remove unused parameter
* Move the format inline with the param type
* correction to UnitTest
* Use `parameterWithMeta` to get parameter data in <ParameterRow>
* Prefer specPath when fetching resolved subtrees in OperationContainer
* Add test for OAS3 callback rendering
* Remove debugger statement
* Pass base resolution URL directly to Swagger-Client subtree resolver
* Remove accidental comment
* Migrate additional options
* Don't default to empty Map when getting subtree
* fix(validateParam): check for ImList type before using count method
* Use `replaceState` to update `urls.primaryName`
This gives us the stateful URL we want, without:
(a) refreshing the page on update
(b) creating a long, useless history for the user
(c) implying that browser history is two-way bound
to Swagger-UI (it isn't, we don't have a router)
* Add `fn.opsFilter` docs and internal API versioning note
* restrict `x-example` functionality to Swagger 2.0
* polish Authorize + Close buttons
* add tachyons; use it for padding the new Reset button
* v3.12.0
* rebuild dist
