Merge pull request #32 from advanced-rest-client/fix/W-10881270/sanitize-server-description

carowright · web-flow · commit 2b5e3bfeb55c · 2022-04-18T16:14:17.000-03:00
Fix/w 10881270/sanitize server description
diff --git a/demo/W-10881270/W-10881270.json b/demo/W-10881270/W-10881270.json
@@ -0,0 +1,22 @@
+{
+  "asyncapi": "2.0.0",
+  "info": {
+    "title": "asyncapijson",
+    "version": "1.0.1",
+    "description": "some description"
+  },
+  "servers": {
+    "server1": {
+      "url": "https://server1.com/",
+      "protocol": "https",
+      "protocolVersion": "1"
+    },
+    "server2": {
+      "url": "https://server2.com",
+      "protocol": "https",
+      "protocolVersion": "1",
+      "description":"XSS_IS_HERE<img src=x onerror=alert(document.domain)>"
+    }
+  },
+  "channels": {}
+}
diff --git a/demo/apis.json b/demo/apis.json
@@ -10,6 +10,7 @@
   "no-endpoints/no-endpoints.raml": "RAML 1.0",
   "google-drive-api/google-drive-api.raml": "RAML 1.0",
   "async-api/async-api.yaml": "ASYNC 2.0",
+  "W-10881270/W-10881270.json": "ASYNC 2.0",
   "exchange-experience-api/exchange-experience-api.raml": "RAML 0.8",
   "multiple-servers/multiple-servers.yaml": { "type": "OAS 3.0", "mime": "application/yaml" },
   "APIC-641/APIC-641.yaml": { "type": "OAS 3.0", "mime": "application/yaml" },
diff --git a/demo/index.js b/demo/index.js
@@ -26,6 +26,7 @@ class ApiDemo extends ApiDemoPage {
       ['multiple-servers', 'Multiple servers'],
       ['async-api', 'AsyncAPI'],
       ['APIC-641', 'APIC-641'],
+      ['W-10881270', 'W-10881270'],
     ].map(
       ([file, label]) => html`
         <anypoint-item data-src="${file}-compact.json">${label}</anypoint-item>
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@api-components/api-summary",
   "description": "A summary view for an API base on AMF data model",
-  "version": "4.6.4",
+  "version": "4.6.5",
   "license": "Apache-2.0",
   "main": "index.js",
   "module": "index.js",
diff --git a/src/ApiSummary.js b/src/ApiSummary.js
@@ -412,7 +412,7 @@ export class ApiSummary extends AmfHelperMixin(LitElement) {
     const description = this._computeDescription(server);
     return html`<li>
       ${uri}
-      <arc-marked .markdown=${description} class="server-description"></arc-marked>
+      <arc-marked .markdown=${description} class="server-description" sanitize></arc-marked>
     </li>`;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@api-components/api-summary",`
`3`	`3`	`"description": "A summary view for an API base on AMF data model",`
`4`		`- "version": "4.6.4",`
	`4`	`+ "version": "4.6.5",`
`5`	`5`	`"license": "Apache-2.0",`
`6`	`6`	`"main": "index.js",`
`7`	`7`	`"module": "index.js",`
Original file line number	Diff line number	Diff line change
`@@ -412,7 +412,7 @@ export class ApiSummary extends AmfHelperMixin(LitElement) {`
`412`	`412`	`const description = this._computeDescription(server);`
`413`	`413`	return html`<li>
`414`	`414`	`${uri}`
`415`		`- <arc-marked .markdown=${description} class="server-description"></arc-marked>`
	`415`	`+ <arc-marked .markdown=${description} class="server-description" sanitize></arc-marked>`
`416`	`416`	</li>`;
`417`	`417`	`}`
`418`	`418`