Skip to content

Commit

Permalink
Fix potential self XSS in request url.
Browse files Browse the repository at this point in the history
  • Loading branch information
STRML committed Aug 24, 2014
1 parent ec81d25 commit 5da60bf
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 6 deletions.
6 changes: 4 additions & 2 deletions dist/swagger-ui.js
Original file line number Diff line number Diff line change
Expand Up @@ -1810,7 +1810,8 @@ helpers = this.merge(helpers, Handlebars.helpers); data = data || {};
}
}
this.invocationUrl = this.model.supportHeaderParams() ? (headerParams = this.model.getHeaderParams(map), this.model.urlify(map, false)) : this.model.urlify(map, true);
$(".request_url", $(this.el)).html("<pre>" + this.invocationUrl + "</pre>");
$(".request_url", $(this.el)).html("<pre></pre>");
$(".request_url pre", $(this.el)).text(this.invocationUrl);
obj = {
type: this.model.method,
url: this.invocationUrl,
Expand Down Expand Up @@ -2006,7 +2007,8 @@ helpers = this.merge(helpers, Handlebars.helpers); data = data || {};
pre = $('<pre class="json" />').append(code);
}
response_body = pre;
$(".request_url", $(this.el)).html("<pre>" + url + "</pre>");
$(".request_url", $(this.el)).html("<pre></pre>");
$(".request_url pre", $(this.el)).text(url);
$(".response_code", $(this.el)).html("<pre>" + response.status + "</pre>");
$(".response_body", $(this.el)).html(response_body);
$(".response_headers", $(this.el)).html("<pre>" + _.escape(JSON.stringify(response.headers, null, " ")).replace(/\n/g, "<br>") + "</pre>");
Expand Down
2 changes: 1 addition & 1 deletion dist/swagger-ui.min.js

Large diffs are not rendered by default.

8 changes: 5 additions & 3 deletions src/main/coffeescript/view/OperationView.coffee
Original file line number Diff line number Diff line change
Expand Up @@ -186,8 +186,9 @@ class OperationView extends Backbone.View
else
@model.urlify(map, true)

$(".request_url", $(@el)).html "<pre>" + @invocationUrl + "</pre>"

$(".request_url", $(@el)).html("<pre></pre>")
$(".request_url pre", $(@el)).text(@invocationUrl);

obj =
type: @model.method
url: @invocationUrl
Expand Down Expand Up @@ -356,7 +357,8 @@ class OperationView extends Backbone.View
pre = $('<pre class="json" />').append(code)

response_body = pre
$(".request_url", $(@el)).html "<pre>" + url + "</pre>"
$(".request_url", $(@el)).html("<pre></pre>")
$(".request_url pre", $(@el)).text(url);
$(".response_code", $(@el)).html "<pre>" + response.status + "</pre>"
$(".response_body", $(@el)).html response_body
$(".response_headers", $(@el)).html "<pre>" + _.escape(JSON.stringify(response.headers, null, " ")).replace(/\n/g, "<br>") + "</pre>"
Expand Down

0 comments on commit 5da60bf

Please sign in to comment.