Makes the last `initOAuth` variable configurable via environment
variables in the swagger-ui docker image.
Co-authored-by: Christopher Giroir <chrisgiroir@improbable.io>
Co-authored-by: Tim Lai <timothy.lai@gmail.com>
Reading configuration parameters from URL search params
is by default no longer enabled. To re-enable it, set queryConfigEnabled
configuration parameter to true.
Functionally, this is a breaking change, but given we're just providing
a security vulnerability patch we're considering this a PATCH version bump
only.
Refs #4872
Refs https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx
* feat: add tryItOutEnabled configuration
allow users to set tryItOutEnabled: true to display
the "Try it out" section by default
tryItOutEnabled to take === "true" for the
query string value or === true if someone
implements query string type parsing in the query
This commit changes markdown sanitization behaviour in following way:
class, style and data-* attributes are removed by default. These attributes
open possible vulnerability vectors to attackers.
The original behavior of sanitizer (before this commit) can be enabled by *useUnsafeMarkdown* configuration option.
Use this configuration option with caution and only in cases when you know
what you're doing.
* Add the withCredentials configuration key
It enables passing credentials in CORS requests. e.g. Cookies and
Authorization headers.
* Improve withCredentials documentation
* Add unit tests for the withCredentials config
* Update configuration.md
* Update configuration.md
* only set `withCredentials` Fetch flag if the config value is truthy
there are some workarounds in the wild today that involve setting `withCredentials` on `system.fn.fetch` directly.
this approach avoids mangling those existing workarounds!
* add more test cases
* Update configs-wrap-actions.js
* Update index.js
* add `onFound` callback to schemas
* add warning to method docs (for #4957)
* implement Docker OAuth2 init block support
* update docs
* add OAUTH_SCOPE_SEPARATOR
* drop OAuth env from Dockerfile and run script
* don't indent the first oauth block line
* drop unused `dedent` import
* touch up warning message
* add more test cases
* return an empty block if no OAuth content is generated
* fix broken doc line
* allow legacy values to override base values
* TEMPORARY (DROP THIS): use legacy HTML from Petstore
* improve(docker): bail out + provide helpful error if injection fails
* Revert "TEMPORARY (DROP THIS): use legacy HTML from Petstore"
This reverts commit 10c18c333262c5411197d9bb085c6b95305beb19.
* add `onFound` callback to schemas
* add warning to method docs (for #4957)
* implement Docker OAuth2 init block support
* update docs
* add OAUTH_SCOPE_SEPARATOR
* drop OAuth env from Dockerfile and run script
* don't indent the first oauth block line
* drop unused `dedent` import
* touch up warning message
* add more test cases
* return an empty block if no OAuth content is generated
* fix broken doc line
* allow legacy values to override base values
* add `onFound` callback to schemas
* add warning to method docs (for #4957)
* implement Docker OAuth2 init block support
* update docs
* add OAUTH_SCOPE_SEPARATOR
* drop OAuth env from Dockerfile and run script
* don't indent the first oauth block line
* drop unused `dedent` import
* touch up warning message
* add more test cases
* return an empty block if no OAuth content is generated
* fix broken doc line
