Browse Source
The /docs and /redoc endpoints embed openapi_url, oauth2_redirect_url, title, and CDN URLs directly into HTML and JavaScript using f-strings without escaping. When root_path comes from a reverse proxy header (like X-Forwarded-Prefix), an attacker can inject arbitrary JavaScript into the generated page. This applies html.escape() to values in HTML attribute and text contexts, and uses the existing _html_safe_json() (which produces properly quoted JSON strings) for values embedded in JavaScript contexts. This is the same approach already used for swagger_ui_parameters.pull/15423/head
3 changed files with 13 additions and 12 deletions
Loading…
Reference in new issue