Comments (4)
AlexVarchuk
commented on July 4, 2024
We already use sanitizer to prevent XSS attacks. I believe it should be safe.
https://github.com/Redocly/redoc/blob/main/src/components/Markdown/SanitizedMdBlock.tsx#L27-L29
import * as DOMPurify from 'dompurify';
...
dangerouslySetInnerHTML={{
__html: sanitize(options.untrustedSpec, rest.html),
}}from redoc.
RomanHotsiy
commented on July 4, 2024
@AlexVarchuk I think it's off by default. We need to enable it for our demo.
from redoc.
AlexVarchuk
commented on July 4, 2024
We have untrustedSpec: true inside our demo.
I also made separate tests with this string, and they work the same way. Regarding documentation dompurify, cleans attributes, and events inside HTML. It seems it considers this case not critical because it works in other cases.
from redoc.
RomanHotsiy
commented on July 4, 2024
Got it. Let's close it then.
from redoc.
Related Issues (20)
- Accessibility: No keyboard accessibility to open menu when zooming in
- When opening an HTML file built with the Redocly command in a browser that contains an anchor, the sidebar does not expand and automatically positions to that anchor. HOT 3
- Accessibility: Visibility of chain symbol
- Required properties in 3.1.0 spec not working when used as sibling
- Security vulnerability in old version of lodash HOT 3
- Kritsana
- 2.1.4 isn't available on cdn.redoc.ly HOT 2
- How to search for Chinese in redoc-static.html? HOT 2
- React warning on standard out when generating HTML documentation HOT 1
- The v2.1.4 defines jest-environment-jsdom as prod dependency HOT 1
- Display conditional application of subschemas through the use of dependentRequired
- Redocly website blocks access to API documentation HOT 1
- This search cannot be used properly HOT 1
- Redocly mangles some property names HOT 3
- The field "Upload File" doesn´t show HOT 2
- minLength/maxLength not shown for array items with pattern HOT 1
- Disable "Response samples" section HOT 1
- Highlighting for request/response sample/example strings ignores content media type (always JSON highlighting)
- Building docs produces lots of warnings HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from redoc.