Fix potential self XSS in request url.

STRML · STRML · commit 5da60bfa626e · 2014-08-24T11:02:54.000-04:00
diff --git a/dist/swagger-ui.js b/dist/swagger-ui.js
@@ -1810,7 +1810,8 @@ helpers = this.merge(helpers, Handlebars.helpers); data = data || {};
         }
       }
       this.invocationUrl = this.model.supportHeaderParams() ? (headerParams = this.model.getHeaderParams(map), this.model.urlify(map, false)) : this.model.urlify(map, true);
-      $(".request_url", $(this.el)).html("<pre>" + this.invocationUrl + "</pre>");
+      $(".request_url", $(this.el)).html("<pre></pre>");
+      $(".request_url pre", $(this.el)).text(this.invocationUrl);
       obj = {
         type: this.model.method,
         url: this.invocationUrl,
@@ -2006,7 +2007,8 @@ helpers = this.merge(helpers, Handlebars.helpers); data = data || {};
         pre = $('<pre class="json" />').append(code);
       }
       response_body = pre;
-      $(".request_url", $(this.el)).html("<pre>" + url + "</pre>");
+      $(".request_url", $(this.el)).html("<pre></pre>");
+      $(".request_url pre", $(this.el)).text(url);
       $(".response_code", $(this.el)).html("<pre>" + response.status + "</pre>");
       $(".response_body", $(this.el)).html(response_body);
       $(".response_headers", $(this.el)).html("<pre>" + _.escape(JSON.stringify(response.headers, null, "  ")).replace(/\n/g, "<br>") + "</pre>");
diff --git a/dist/swagger-ui.min.js b/dist/swagger-ui.min.js
diff --git a/src/main/coffeescript/view/OperationView.coffee b/src/main/coffeescript/view/OperationView.coffee
@@ -186,8 +186,9 @@ class OperationView extends Backbone.View
       else
         @model.urlify(map, true)
 
-    $(".request_url", $(@el)).html "<pre>" + @invocationUrl + "</pre>"
-
+    $(".request_url", $(@el)).html("<pre></pre>") 
+    $(".request_url pre", $(@el)).text(@invocationUrl);
+    
     obj = 
       type: @model.method
       url: @invocationUrl
@@ -356,7 +357,8 @@ class OperationView extends Backbone.View
       pre = $('<pre class="json" />').append(code)
 
     response_body = pre
-    $(".request_url", $(@el)).html "<pre>" + url + "</pre>"
+    $(".request_url", $(@el)).html("<pre></pre>") 
+    $(".request_url pre", $(@el)).text(url);
     $(".response_code", $(@el)).html "<pre>" + response.status + "</pre>"
     $(".response_body", $(@el)).html response_body
     $(".response_headers", $(@el)).html "<pre>" + _.escape(JSON.stringify(response.headers, null, "  ")).replace(/\n/g, "<br>") + "</pre>"

Original file line number	Diff line number	Diff line change
`@@ -1810,7 +1810,8 @@ helpers = this.merge(helpers, Handlebars.helpers); data = data \|\| {};`
`1810`	`1810`	`}`
`1811`	`1811`	`}`
`1812`	`1812`	`this.invocationUrl = this.model.supportHeaderParams() ? (headerParams = this.model.getHeaderParams(map), this.model.urlify(map, false)) : this.model.urlify(map, true);`
`1813`		`- $(".request_url", $(this.el)).html("<pre>" + this.invocationUrl + "</pre>");`
	`1813`	`+ $(".request_url", $(this.el)).html("<pre></pre>");`
	`1814`	`+ $(".request_url pre", $(this.el)).text(this.invocationUrl);`
`1814`	`1815`	`obj = {`
`1815`	`1816`	`type: this.model.method,`
`1816`	`1817`	`url: this.invocationUrl,`
`@@ -2006,7 +2007,8 @@ helpers = this.merge(helpers, Handlebars.helpers); data = data \|\| {};`
`2006`	`2007`	`pre = $('<pre class="json" />').append(code);`
`2007`	`2008`	`}`
`2008`	`2009`	`response_body = pre;`
`2009`		`- $(".request_url", $(this.el)).html("<pre>" + url + "</pre>");`
	`2010`	`+ $(".request_url", $(this.el)).html("<pre></pre>");`
	`2011`	`+ $(".request_url pre", $(this.el)).text(url);`
`2010`	`2012`	`$(".response_code", $(this.el)).html("<pre>" + response.status + "</pre>");`
`2011`	`2013`	`$(".response_body", $(this.el)).html(response_body);`
`2012`	`2014`	`$(".response_headers", $(this.el)).html("<pre>" + _.escape(JSON.stringify(response.headers, null, " ")).replace(/\n/g, "<br>") + "</pre>");`