From c0698bb21569854a1a4c62f7b01edb8f69fc8fa1 Mon Sep 17 00:00:00 2001
From: Roman Hotsiy <gotsijroman@gmail.com>
Date: Fri, 12 May 2017 12:38:05 +0300
Subject: [PATCH] fix: prevent possible xss using `untrusted-spec` option

---
 README.md                       |  1 +
 demo/index-gh.html              |  2 +-
 demo/index.html                 |  2 +-
 lib/services/options.service.ts |  3 +++
 lib/utils/pipes.ts              | 12 +++++++-----
 5 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 068a26be..eb6f15b6 100644
--- a/README.md
+++ b/README.md
@@ -131,6 +131,7 @@ ReDoc makes use of the following [vendor extensions](http://swagger.io/specifica
 
 ### `<redoc>` tag attributes
 * `spec-url` - relative or absolute url to your spec file;
+* `untrusted-spec` - if set, the spec is considered untrusted and all HTML/markdown is sanitized to prevent XSS. **Disabled by default** for performance reasons. **Enable this option if you work with untrusted user data!**
 * `scroll-y-offset` - If set, specifies a vertical scroll-offset. This is often useful when there are fixed positioned elements at the top of the page, such as navbars, headers etc;
 `scroll-y-offset` can be specified in various ways:
   * **number**: A fixed number of pixels to be used as offset;
diff --git a/demo/index-gh.html b/demo/index-gh.html
index 17724a03..5835dfc9 100644
--- a/demo/index-gh.html
+++ b/demo/index-gh.html
@@ -22,7 +22,7 @@
       frameborder="0" scrolling="0" width="130px" height="30px"></iframe>
     </nav>
 
-    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering></redoc>
+    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering untrusted-spec></redoc>
 
     <script src="main.js"> </script>
     <script src="./dist/redoc.min.js"> </script>
diff --git a/demo/index.html b/demo/index.html
index ee983bf4..8ef1e02a 100644
--- a/demo/index.html
+++ b/demo/index.html
@@ -22,7 +22,7 @@
       frameborder="0" scrolling="0" width="130px" height="30px"></iframe>
     </nav>
 
-    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering></redoc>
+    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering untrusted-spec></redoc>
 
     <script>
       window.__REDOC_DEV__ = true;
diff --git a/lib/services/options.service.ts b/lib/services/options.service.ts
index c861fdcd..c2972ec2 100644
--- a/lib/services/options.service.ts
+++ b/lib/services/options.service.ts
@@ -19,6 +19,7 @@ const OPTION_NAMES = new Set([
   'requiredPropsFirst',
   'noAutoAuth',
   'pathInMiddlePanel',
+  'untrustedSpec'
 ]);
 
 export interface Options {
@@ -33,6 +34,7 @@ export interface Options {
   requiredPropsFirst?: boolean;
   noAutoAuth?: boolean;
   pathInMiddlePanel?: boolean;
+  untrustedSpec?: boolean;
   spec?: any;
 }
 
@@ -101,6 +103,7 @@ export class OptionsService {
     if (isString(this._options.requiredPropsFirst)) this._options.requiredPropsFirst = true;
     if (isString(this._options.noAutoAuth)) this._options.noAutoAuth = true;
     if (isString(this._options.pathInMiddlePanel)) this._options.pathInMiddlePanel = true;
+    if (isString(this._options.untrustedSpec)) this._options.untrustedSpec = true;
     if (isString(this._options.expandResponses)) {
       let str = this._options.expandResponses as string;
       if (str === 'all') return;
diff --git a/lib/utils/pipes.ts b/lib/utils/pipes.ts
index 679ea93d..4f8a7802 100644
--- a/lib/utils/pipes.ts
+++ b/lib/utils/pipes.ts
@@ -6,6 +6,7 @@ import { isString, stringify, isBlank } from './helpers';
 import JsonPointer from './JsonPointer';
 import { MdRenderer } from './';
 import { JsonFormatter } from './JsonFormatterPipe';
+import { OptionsService } from '../services/options.service';
 
 declare var Prism: any;
 
@@ -48,18 +49,19 @@ export class JsonPointerEscapePipe implements PipeTransform {
 @Pipe({ name: 'marked' })
 export class MarkedPipe implements PipeTransform {
   renderer: MdRenderer;
-  constructor(private sanitizer: DomSanitizer) {
+  unstrustedSpec: boolean;
+
+  constructor(private sanitizer: DomSanitizer, optionsService: OptionsService) {
     this.renderer = new MdRenderer(true);
+    this.unstrustedSpec = !!optionsService.options.untrustedSpec;
   }
   transform(value:string) {
     if (isBlank(value)) return value;
     if (!isString(value)) {
       throw new InvalidPipeArgumentException(JsonPointerEscapePipe, value);
     }
-
-    return this.sanitizer.bypassSecurityTrustHtml(
-      `<span class="redoc-markdown-block">${this.renderer.renderMd(value)}</span>`
-    );
+    let res = `<span class="redoc-markdown-block">${this.renderer.renderMd(value)}</span>`;
+    return this.unstrustedSpec ? res : this.sanitizer.bypassSecurityTrustHtml(res);
   }
 }