Property names are not escaped and allow XSS

[joevennix]

To reproduce, point swagger-ui at a JSON schema file that uses a model with a property containing <script>alert(1)</script>. The script will execute. I've attached a sinatra server that demonstrates the issue by replacing the "photoUrls" property with "photoUrls<script>alert(1)</script>":

https://gist.github.com/joevennix/b2bc8c04fd74f2f5d2b2

[danderson00]

Any update on when this might be fixed? Using a Content-Security-Policy header containing connect-src 'self' online.swagger.io mitigates this, but Internet Explorer is still vulnerable.

[webron]

@danderson00 - please consider submitting a PR to fix the issue, but we'll try to look into it as soon as possible as well.

[bradygaster-zz]

@fehguy is there an ETA for this issue's resolution?

[fehguy]

Any day now

[fehguy]

See a906cff

[hoomanb1]

Is there any CVE for this one?

[danderson00]

FYI, this is also still being reported as not fixed on the nodesecurity.io advisory which is used by some dependency scanners like david-dm. Not sure how to report the version it is fixed in.

[bradygaster-zz]

@fehguy what's the status here?

[webron]

We've pushed out three close releases - 2.2.1, 2.2.2 and 2.2.3 handling all the known XSS issues we've had whether reported to us (publicly or otherwise) or with our own experience, including this one.

Should you find any new additional XSS issues, please open new tickets on those and we'll address them as soon as possible.

[fehguy]

@bradygaster I contacted the node security folks and they've updated their page to show that 2.2.1 has this fixed.

[danderson00]

Thanks for your work on this!

[bradygaster-zz]

@fehguy thanks so much! got your email. looks like things are good.

[hoomanb1]

Just an FYI a cve-2016-1000229 has been assigned to this issue.