From 5dd1cd435c30ba2d953cb39bd993114e0516ad89 Mon Sep 17 00:00:00 2001 From: jeferson cardoso Date: Thu, 18 Dec 2025 13:44:16 -0400 Subject: [PATCH] Refactor Swagger UI parameter handling in docs.py A Cross-Site Scripting (XSS) vulnerability was identified in the `get_swagger_ui_html()` function, which generates the Swagger UI documentation page (`/docs`). --- fastapi/openapi/docs.py | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/fastapi/openapi/docs.py b/fastapi/openapi/docs.py index 82380f85d..49a486f41 100644 --- a/fastapi/openapi/docs.py +++ b/fastapi/openapi/docs.py @@ -131,24 +131,36 @@ def get_swagger_ui_html( const ui = SwaggerUIBundle({{ url: '{openapi_url}', """ - + for key, value in current_swagger_ui_parameters.items(): - html += f"{json.dumps(key)}: {json.dumps(jsonable_encoder(value))},\n" - + + encoded_value = jsonable_encoder(value) + safe_value = json.dumps(encoded_value) + + + if isinstance(value, str) and safe_value.startswith('"') and safe_value.endswith('"'): + safe_value = safe_value[1:-1] # Remove aspas externas + + + html += f" {key}: {safe_value},\n" + + if oauth2_redirect_url: - html += f"oauth2RedirectUrl: window.location.origin + '{oauth2_redirect_url}'," + html += f"oauth2RedirectUrl: window.location.origin + '{oauth2_redirect_url}',\n" - html += """ - presets: [ - SwaggerUIBundle.presets.apis, - SwaggerUIBundle.SwaggerUIStandalonePreset + + html += """ presets: [ + SwaggerUIBundle.presets.apis, + SwaggerUIBundle.SwaggerUIStandalonePreset ], - })""" + }) + """ + if init_oauth: + init_oauth_json = json.dumps(jsonable_encoder(init_oauth)) html += f""" - ui.initOAuth({json.dumps(jsonable_encoder(init_oauth))}) - """ + ui.initOAuth({init_oauth_json})""" html += """