Possible XSS issue on https://redocly.github.io/redoc/

Question

Possible XSS issue on https://redocly.github.io/redoc/

romanpryshliak opened this issue 4 months ago · comments

Describe the bug

https://redocly.github.io/redoc/ renders the <input> tags.

Minimal reproducible OpenAPI snippet(if possible)

openapi: 3.0.3
info:
  title: Sample API
  description: This is a sample API to demonstrate OpenAPI specifications.
  version: 1.0.0
servers:
  - url: https://api.example.com/v1
paths:
  /greet:
    get:
      summary: Greet the user
      description: Returns a greeting message <input>.
      responses:
        '200':
          description: A successful response
          content:
            application/json:
              schema:
                type: object
                properties:
                  message:
                    type: string
                    example: "Hello, User!"

Screenshots

Alex Varchuk · Answer 1 · Mon Jun 10 2024 21:12:04 GMT+0800 (China Standard Time)

We already use sanitizer to prevent XSS attacks. I believe it should be safe.

https://github.com/Redocly/redoc/blob/main/src/components/Markdown/SanitizedMdBlock.tsx#L27-L29

import * as DOMPurify from 'dompurify';

...

dangerouslySetInnerHTML={{
  __html: sanitize(options.untrustedSpec, rest.html),
}}

Roman Hotsiy · Answer 2 · Mon Jun 10 2024 22:20:16 GMT+0800 (China Standard Time)

@AlexVarchuk I think it's off by default. We need to enable it for our demo.

Alex Varchuk · Answer 3 · Mon Jun 10 2024 23:00:52 GMT+0800 (China Standard Time)

We have untrustedSpec: true inside our demo.

I also made separate tests with this string, and they work the same way. Regarding documentation dompurify, cleans attributes, and events inside HTML. It seems it considers this case not critical because it works in other cases.

Roman Hotsiy · Answer 4 · Mon Jun 10 2024 23:02:35 GMT+0800 (China Standard Time)

Got it. Let's close it then.