From c61b5709311774a667e798d14f26354795e4de30 Mon Sep 17 00:00:00 2001 From: jeferson cardoso Date: Thu, 18 Dec 2025 13:01:36 -0400 Subject: [PATCH] vulnerability in Swagger UI template generation A Cross-Site Scripting (XSS) vulnerability was identified in the get_swagger_ui_html() function, which generates the Swagger UI documentation page (/docs) --- fastapi/openapi/docs.py | 297 ++++++++++++++++++++-------------------- 1 file changed, 148 insertions(+), 149 deletions(-) diff --git a/fastapi/openapi/docs.py b/fastapi/openapi/docs.py index 82380f85d..f7d8b6d50 100644 --- a/fastapi/openapi/docs.py +++ b/fastapi/openapi/docs.py @@ -110,51 +110,51 @@ def get_swagger_ui_html( [FastAPI docs for Configure Swagger UI](https://fastapi.tiangolo.com/how-to/configure-swagger-ui/) and the [FastAPI docs for Custom Docs UI Static Assets (Self-Hosting)](https://fastapi.tiangolo.com/how-to/custom-docs-ui-assets/). """ - current_swagger_ui_parameters = swagger_ui_default_parameters.copy() + swagger_config = { + "url": openapi_url, + "dom_id": "#swagger-ui", + "layout": "BaseLayout", + "deepLinking": True, + "showExtensions": True, + "showCommonExtensions": True, + "presets": [ + "SwaggerUIBundle.presets.apis", + "SwaggerUIBundle.SwaggerUIStandalonePreset" + ] + } + if swagger_ui_parameters: - current_swagger_ui_parameters.update(swagger_ui_parameters) - - html = f""" - - - - - - {title} - - -
-
- - - + - - - """ + init_oauth_json = json.dumps(init_oauth, default=str) + html += f''' +ui.initOAuth({init_oauth_json});''' + + html += ''' + + +''' + return HTMLResponse(html) @@ -216,40 +216,40 @@ def get_redoc_html( Read more about it in the [FastAPI docs for Custom Docs UI Static Assets (Self-Hosting)](https://fastapi.tiangolo.com/how-to/custom-docs-ui-assets/). """ - html = f""" - - - - {title} - - - - """ + + html = f''' + + +{title} + + + +''' + if with_google_fonts: - html += """ - - """ - html += f""" - - - - - - - - - - - """ + html += ''' +''' + + html += f''' + + + + + + + + +''' + return HTMLResponse(html) @@ -259,86 +259,85 @@ def get_swagger_ui_oauth2_redirect_html() -> HTMLResponse: You normally don't need to use or change this. """ - # copied from https://github.com/swagger-api/swagger-ui/blob/v4.14.0/dist/oauth2-redirect.html - html = """ - - - - Swagger UI: OAuth2 Redirect - - - - - - """ - return HTMLResponse(content=html) + }); + } + + +""" + + return HTMLResponse(content=html_content)