Possible XSS issue on https://redocly.github.io/redoc/
romanpryshliak opened this issue · comments
Describe the bug
https://redocly.github.io/redoc/ renders the <input>
tags.
Minimal reproducible OpenAPI snippet(if possible)
openapi: 3.0.3
info:
title: Sample API
description: This is a sample API to demonstrate OpenAPI specifications.
version: 1.0.0
servers:
- url: https://api.example.com/v1
paths:
/greet:
get:
summary: Greet the user
description: Returns a greeting message <input>.
responses:
'200':
description: A successful response
content:
application/json:
schema:
type: object
properties:
message:
type: string
example: "Hello, User!"
Screenshots
We already use sanitizer to prevent XSS attacks. I believe it should be safe.
https://github.com/Redocly/redoc/blob/main/src/components/Markdown/SanitizedMdBlock.tsx#L27-L29
import * as DOMPurify from 'dompurify';
...
dangerouslySetInnerHTML={{
__html: sanitize(options.untrustedSpec, rest.html),
}}
@AlexVarchuk I think it's off by default. We need to enable it for our demo.
We have untrustedSpec: true
inside our demo.
I also made separate tests with this string, and they work the same way. Regarding documentation dompurify
, cleans attributes, and events inside HTML. It seems it considers this case not critical because it works in other cases.
Got it. Let's close it then.