Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTML not escaped when API responds with text/html - XSS vulnerability #1154

Closed
matthewhubblerose opened this issue Apr 13, 2015 · 3 comments
Closed

HTML not escaped when API responds with text/html - XSS vulnerability #1154

matthewhubblerose opened this issue Apr 13, 2015 · 3 comments

Comments

@matthewhubblerose
Copy link

Not sure if this is by design or not, but this is an XSS vulnerability.

I've set up an API with a single GET method, that is documented to respond with Content-Type application/json. When using the "Try it out!" button, and the API instead responded with Content-Type text/html (due to an exception being handled by Apache Tomcat and generating an HTML page), the HTML was rendered in in the Swagger UI page.

A simpler test case, is where I set up the API to respond with Content-Type text/html and this body:

<h1>Hello</h1><script>alert('XSS')</script>

When making the request with the "Try it out!" button, the resulting page looked like this:
swagger-ui-xss

I believe that the correct way of handling text/html reponse should be encoding all of the response so that is just rendered as text in the browser. So in this case, the response should have been encoded to:

&lt;h1&gt;Hello&lt;/h1&gt;&lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;

which would then be rendered as the text, rather than as HTML
@matthewhubblerose
Copy link
Author

I should add, this is with swagger-ui version 2.0.21. It looks like this has been fixed in a later release, the master branch is escaping the response with Underscore.js now:

swagger-ui/src/main/javascript/view/OperationView.js

Line 453 in 6254644

$('.response_body', $(this.el)).html(_.escape(prettyJson));

Can someone confirm which version this was fixed in?

The code that loads in my browser looks like this:

$(".response_body", $(this.el)).html(response_body);
$(".response_headers", $(this.el)).html("<pre>" + _.escape(JSON.stringify(response.headers, null, "  ")).replace(/\n/g, "<br>") + "</pre>");

You can see the second line in the snippet is correctly escaping the response headers, but the response body itself is left unescaped. It looks like the headers were fixed for issue #492

@fehguy
Copy link
Contributor

fehguy commented Apr 15, 2015

You should update to master, or 2.1.0-M2

@fehguy fehguy closed this as completed Apr 15, 2015
@matthewhubblerose
Copy link
Author

Will do.

Do you know which specific release fixed the issue though? Is there a test to prevent regression?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fehguy @matthewhubblerose