Comments (4)
We already use sanitizer to prevent XSS attacks. I believe it should be safe.
https://github.com/Redocly/redoc/blob/main/src/components/Markdown/SanitizedMdBlock.tsx#L27-L29
import * as DOMPurify from 'dompurify';
...
dangerouslySetInnerHTML={{
__html: sanitize(options.untrustedSpec, rest.html),
}}
from redoc.
@AlexVarchuk I think it's off by default. We need to enable it for our demo.
from redoc.
We have untrustedSpec: true
inside our demo.
I also made separate tests with this string, and they work the same way. Regarding documentation dompurify
, cleans attributes, and events inside HTML. It seems it considers this case not critical because it works in other cases.
from redoc.
Got it. Let's close it then.
from redoc.
Related Issues (20)
- 2.1.4 isn't available on cdn.redoc.ly HOT 2
- How to search for Chinese in redoc-static.html? HOT 2
- React warning on standard out when generating HTML documentation HOT 1
- The v2.1.4 defines jest-environment-jsdom as prod dependency HOT 1
- Display conditional application of subschemas through the use of dependentRequired
- Redocly website blocks access to API documentation HOT 1
- This search cannot be used properly HOT 1
- Redocly mangles some property names HOT 3
- The field "Upload File" doesn´t show HOT 2
- minLength/maxLength not shown for array items with pattern HOT 1
- Disable "Response samples" section HOT 1
- Highlighting for request/response sample/example strings ignores content media type (always JSON highlighting) HOT 1
- Building docs produces lots of warnings HOT 4
- Using @param annotation with body causes redoc rendering to fail
- Property `htmlTemplate` is not expected here. HOT 4
- Feature Request: Implementation of Arazzo Specification v1.0.0
- Change height of x-logo in yaml HOT 4
- Callbacks should have id attributes to allow linking to them
- showExtension option on array of strings does not show extensions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from redoc.