Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: anchor tag safety #4789

Merged
merged 10 commits into from
Aug 4, 2018
Merged

security: anchor tag safety #4789

merged 10 commits into from
Aug 4, 2018

Conversation

shockey
Copy link
Contributor

@shockey shockey commented Aug 4, 2018
edited
Loading

Description

Setting target="_blank" on anchor tags is unsafe unless used in conjunction with rel="noopener".

This PR fixes our internal usage, adapts our Markdown parser to protect against from vulnerable user input, and adds a linter rule to prevent future introductions of this vulnerability into Swagger UI.

Motivation and Context

Fixes an issue reported through our disclosure channel (email, [email protected]).

How Has This Been Tested?

XSS tests have been extended to cover these changes.

Checklist

My PR contains...

  • No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
  • Dependency changes (any modification to dependencies in package.json)
  • Bug fixes (non-breaking change which fixes an issue)
  • Improvements (misc. changes to existing features)
  • Features (non-breaking change which adds functionality)

My changes...

  • are breaking changes to a public API (config options, System API, major UI change, etc).
  • are breaking changes to a private API (Redux, component props, utility functions, etc.).
  • are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
  • are not breaking changes.

Documentation

  • My changes do not require a change to the project documentation.
  • My changes require a change to the project documentation.
  • If yes to above: I have updated the documentation accordingly.

Automated tests

  • My changes can not or do not need to be tested.
  • My changes can and should be tested by unit and/or integration tests.
  • If yes to above: I have added tests to cover my changes.
  • If yes to above: I have taken care to cover edge cases in my tests.
  • All new and existing tests passed.

@shockey shockey merged commit dd3afdc into master Aug 4, 2018
@shockey shockey mentioned this pull request Sep 13, 2018
Closed
@shockey shockey deleted the security/anchor-target-safety branch October 8, 2018 21:42
@ganeshgore
Copy link

Does anchor tag safety also means ignoring hrefs with non standard port.
I am trying to add anchor tag with non standard protocol like (vscode://filename) in description part of swagger document. It seems to ignore that . Is it possible to add such URLs?

You can quick check by adding
[TestLink](vscode://file/c:/temp.txt)
in description part of https://editor.swagger.io/ example. It removes href while rendering.

@shockey
Copy link
Contributor Author

shockey commented Nov 26, 2018

@ganeshgore it does, currently we only allow http/https. please open a feature request if you'd like to have support for vscode:// urls 😄

@bajtos bajtos mentioned this pull request Jun 21, 2019
Closed
17 tasks
bajtos added a commit to bajtos/swagger-ui that referenced this pull request Jun 21, 2019
@bajtos
fix: anchor tag safety
f104586 
Setting target="_blank" on anchor tags is unsafe unless used in
conjunction with rel="noopener".

This is a back-port of dd3afdc (swagger-api#4789) to fix the problem in
version 2.x.

Signed-off-by: Miroslav Bajtoš <[email protected]>
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Jul 23, 2019
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Sep 24, 2019
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Mar 15, 2020
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Apr 25, 2020
Open
This was referenced Jan 12, 2021
Closed
Closed
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Mar 10, 2021
Open
@github-actions github-actions bot mentioned this pull request Apr 19, 2021
Closed
@mend-for-github-com mend-for-github-com bot mentioned this pull request Dec 29, 2021
Closed
1 task
@mend-for-github-com mend-for-github-com bot mentioned this pull request Jun 2, 2022
Open
@mend-for-github-com mend-for-github-com bot mentioned this pull request Feb 26, 2023
Closed
This was referenced Mar 6, 2023
Open
Open
Open
This was referenced Mar 9, 2023
Open
Open
This was referenced Mar 13, 2023
Closed
Open
@uriel-mend-app uriel-mend-app bot mentioned this pull request Mar 19, 2023
Closed
@dev-mend-for-github-com dev-mend-for-github-com bot mentioned this pull request May 23, 2024
Open
@staging-whitesource-for-github-com staging-whitesource-for-github-com bot mentioned this pull request May 23, 2024
Open
@mend-for-github-com mend-for-github-com bot mentioned this pull request Jul 26, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shockey @ganeshgore