Closed romanpryshliak closed 3 months ago
We already use sanitizer to prevent XSS attacks. I believe it should be safe.
https://github.com/Redocly/redoc/blob/main/src/components/Markdown/SanitizedMdBlock.tsx#L27-L29
import * as DOMPurify from 'dompurify';
...
dangerouslySetInnerHTML={{
__html: sanitize(options.untrustedSpec, rest.html),
}}
@AlexVarchuk I think it's off by default. We need to enable it for our demo.
We have untrustedSpec: true
inside our demo.
I also made separate tests with this string, and they work the same way. Regarding documentation dompurify
, cleans attributes, and events inside HTML. It seems it considers this case not critical because it works in other cases.
Got it. Let's close it then.
Describe the bug
https://redocly.github.io/redoc/ renders the
<input>
tags.Minimal reproducible OpenAPI snippet(if possible)
Screenshots