Merge branch 'bodnia-feature/add-sanitize-html'

edwinanto2003 · Sep 1, 2016 · dab8c4a · dab8c4a
2 parents 48e7bc1 + 87438ad
commit dab8c4a
Show file tree

Hide file tree

Showing 9 changed files with 66 additions and 65 deletions.
diff --git a/.jshintrc b/.jshintrc
@@ -32,6 +32,7 @@
     "SwaggerUi": false,
     "jsyaml": false,
     "define": false,
+    "sanitizeHtml": false,
 
     // Global object
     // TODO: remove these

diff --git a/dist/lib/sanitize-html.min.js b/dist/lib/sanitize-html.min.js
diff --git a/dist/swagger-ui.js b/dist/swagger-ui.js
diff --git a/dist/swagger-ui.min.js b/dist/swagger-ui.min.js
diff --git a/gulpfile.js b/gulpfile.js
@@ -50,6 +50,7 @@ function _dist() {
   return es.merge(
     gulp.src([
         './node_modules/es5-shim/es5-shim.js',
+        './lib/sanitize-html.min.js',
         './src/main/javascript/**/*.js',
         './node_modules/swagger-client/browser/swagger-client.js'
       ]),

diff --git a/lib/sanitize-html.min.js b/lib/sanitize-html.min.js
diff --git a/package.json b/package.json
@@ -8,7 +8,7 @@
     }
   ],
   "description": "Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API",
-  "version": "2.2.2",
+  "version": "2.2.3",
   "homepage": "http://swagger.io",
   "license": "Apache-2.0",
   "main": "dist/swagger-ui.js",

diff --git a/src/main/javascript/helpers/handlebars.js b/src/main/javascript/helpers/handlebars.js
@@ -1,34 +1,22 @@
 'use strict';
 /*jslint eqeq: true*/
 
-var _sanitize = function(html) {
-    // Strip the script tags from the html and inline evenhandlers
-    html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
-    html = html.replace(/(on\w+="[^"]*")*(on\w+='[^']*')*(on\w+=\w*\(\w*\))*/gi, '');
+Handlebars.registerHelper('sanitize', function (text) {
+    var result;
 
-    return html;
-};
+    if (text === undefined) { return ''; }
 
-var sanitize =function (html) {
-    var _html;
-
-    if ( _.isUndefined(html) || _.isNull(html)) {
-        return new Handlebars.SafeString('');
-    }
-
-    if (_.isNumber(html))  {
-        return new Handlebars.SafeString(html);
-    }
-
-    if (_.isObject(html)){
-        _html = JSON.stringify(html);
-        return new Handlebars.SafeString(JSON.parse(_sanitize(_html)));
-    }
-
-    return new Handlebars.SafeString(_sanitize(html));
-};
+    result = sanitizeHtml(text, {
+        allowedTags: [ 'div', 'span', 'b', 'i', 'em', 'strong', 'a' ],
+        allowedAttributes: {
+            'div': [ 'class' ],
+            'span': [ 'class' ],
+            'a': [ 'href' ]
+        }
+    });
 
-Handlebars.registerHelper('sanitize', sanitize);
+    return new Handlebars.SafeString(result);
+});
 
 Handlebars.registerHelper('renderTextParam', function(param) {
     var result, type = 'text', idAtt = '';
@@ -55,7 +43,7 @@ Handlebars.registerHelper('renderTextParam', function(param) {
         idAtt = ' id=\'' + valueId + '\'';
     }
 
-    defaultValue = sanitize(defaultValue);
+    defaultValue = sanitizeHtml(defaultValue);
 
     if(isArray) {
         result = '<textarea class=\'body-textarea' + (param.required ? ' required' : '') + '\' name=\'' + name + '\'' + idAtt + dataVendorExtensions;

diff --git a/src/main/javascript/view/MainView.js b/src/main/javascript/view/MainView.js
@@ -96,7 +96,7 @@ SwaggerUi.Views.MainView = Backbone.View.extend({
         id = id + '_' + counter;
         counter += 1;
       }
-      resource.id = SwaggerUi.utils.sanitize(id);
+      resource.id = sanitizeHtml(id);
       resources[id] = resource;
       this.addResource(resource, this.model.auths);
     }