-
Notifications
You must be signed in to change notification settings - Fork 8.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: anchor tag safety #4789
Conversation
Does anchor tag safety also means ignoring hrefs with non standard port. You can quick check by adding |
@ganeshgore it does, currently we only allow http/https. please open a feature request if you'd like to have support for |
Setting target="_blank" on anchor tags is unsafe unless used in conjunction with rel="noopener". This is a back-port of dd3afdc (swagger-api#4789) to fix the problem in version 2.x. Signed-off-by: Miroslav Bajtoš <[email protected]>
Description
Setting
target="_blank"
on anchor tags is unsafe unless used in conjunction withrel="noopener"
.This PR fixes our internal usage, adapts our Markdown parser to protect against from vulnerable user input, and adds a linter rule to prevent future introductions of this vulnerability into Swagger UI.
Motivation and Context
Fixes an issue reported through our disclosure channel (email, [email protected]).
How Has This Been Tested?
XSS tests have been extended to cover these changes.
Checklist
My PR contains...
src/
is unmodified: changes to documentation, CI, metadata, etc.)package.json
)My changes...
Documentation
Automated tests