Skip to content

Secure Swagger UI with safe serialization and escaping #4855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 23, 2025
Merged

Secure Swagger UI with safe serialization and escaping #4855

merged 2 commits into from
May 23, 2025

Conversation

gcanti
Copy link
Contributor

@gcanti gcanti commented May 11, 2025

Enhance OpenAPI documentation handling by adding safe serialization and HTML escaping functions. This prevents script injection and ensures valid JSON output in the Swagger UI

@gcanti gcanti requested a review from tim-smart as a code owner May 11, 2025 07:19
@github-project-automation github-project-automation bot moved this to Discussion Ongoing in PR Backlog May 11, 2025
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented May 11, 2025
edited
Loading

🦋 Changeset detected

Latest commit: b7746e3

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 27 packages
Name Type
@effect/platform Patch
@effect/cli Patch
@effect/cluster Patch
@effect/experimental Patch
@effect/opentelemetry Patch
@effect/platform-browser Patch
@effect/platform-bun Patch
@effect/platform-node-shared Patch
@effect/platform-node Patch
@effect/rpc Patch
@effect/sql-clickhouse Patch
@effect/sql-d1 Patch
@effect/sql-drizzle Patch
@effect/sql-libsql Patch
@effect/sql-mssql Patch
@effect/sql-mysql2 Patch
@effect/sql-pg Patch
@effect/sql-sqlite-bun Patch
@effect/sql-sqlite-node Patch
@effect/sql Patch
@effect/ai Patch
@effect/ai-anthropic Patch
@effect/ai-openai Patch
@effect/sql-sqlite-do Patch
@effect/sql-sqlite-react-native Patch
@effect/sql-sqlite-wasm Patch
@effect/sql-kysely Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@gcanti
Copy link
Contributor Author

gcanti commented May 11, 2025

RE https://x.com/MichaelArnaldi/status/1921434824914448739

tim-smart
tim-smart reviewed May 11, 2025
View reviewed changes
packages/platform/src/HttpApiSwagger.ts
<style>${internal.css}</style>
</head>
<body>
<div id="swagger-ui"></div>
<script id="swagger-spec" type="application/json">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the purpose of moving it to a seperate script tag?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC a type="application/json" tag is never executed, so we don't accidentally run any code

@tim-smart tim-smart merged commit 618903b into main May 23, 2025
16 of 17 checks passed
@tim-smart tim-smart deleted the swagger-ui-escaping branch May 23, 2025 01:29
@github-project-automation github-project-automation bot moved this from Discussion Ongoing to Done in PR Backlog May 23, 2025
@github-actions github-actions bot mentioned this pull request May 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tim-smart tim-smart tim-smart left review comments

Assignees
No one assigned
Labels
None yet
Projects
PR Backlog
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gcanti @tim-smart