Security risk: XSS vulnerability in swagger

[timkim]

We have a security report that the swagger ui in static folder is outdated and is vulnerable to a XSS attack.

Report: DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim's browser used by the original client side script, so that the client side code runs in an “unexpected” manner.

When we visit https://www.adobe.io/experience-manager/reference-materials/6-5/assets-api-content-fragments/index.html?url=https://akshanshjaiswal.com/2312pip21_22Ws.html the swagger APP visits the URL https://akshanshjaiswal.com/2312pip21_22Ws.html to fetch API documentation and then it uses DOM-Purify to filter the response and show it on DOM.

The problem is, the swagger-ui running on https://www.adobe.io/experience-manager/reference-materials/6-5/assets-api-content-fragments/index.html is very old and is vulnerable to DOM-XSS because it is using older version of DOM-purify.

Please update the DOM-purify component of the site.

[guillaumecarlino]

Created SITES-3872 to track this.

[guillaumecarlino]

@timkim , this should be fixed now, I updated the files based on what came out of SITES-3872.