fix: prevent possible xss using untrusted-spec option

README.md

@@ -131,6 +131,7 @@ ReDoc makes use of the following [vendor extensions](http://swagger.io/specifica
 
 ### `<redoc>` tag attributes
 * `spec-url` - relative or absolute url to your spec file;
+* `untrusted-spec` - if set, the spec is considered untrusted and all HTML/markdown is sanitized to prevent XSS. **Disabled by default** for performance reasons. **Enable this option if you work with untrusted user data!**
 * `scroll-y-offset` - If set, specifies a vertical scroll-offset. This is often useful when there are fixed positioned elements at the top of the page, such as navbars, headers etc;
 `scroll-y-offset` can be specified in various ways:
   * **number**: A fixed number of pixels to be used as offset;

demo/index-gh.html

@@ -22,7 +22,7 @@
       frameborder="0" scrolling="0" width="130px" height="30px"></iframe>
     </nav>
 
-    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering></redoc>
+    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering untrusted-spec></redoc>
 
     <script src="main.js"> </script>
     <script src="./dist/redoc.min.js"> </script>

demo/index.html

@@ -22,7 +22,7 @@
       frameborder="0" scrolling="0" width="130px" height="30px"></iframe>
     </nav>
 
-    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering></redoc>
+    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering untrusted-spec></redoc>
 
     <script>
       window.__REDOC_DEV__ = true;

lib/services/options.service.ts

@@ -19,6 +19,7 @@ const OPTION_NAMES = new Set([
   'requiredPropsFirst',
   'noAutoAuth',
   'pathInMiddlePanel',
+  'untrustedSpec'
 ]);
 
 export interface Options {
@@ -33,6 +34,7 @@ export interface Options {
   requiredPropsFirst?: boolean;
   noAutoAuth?: boolean;
   pathInMiddlePanel?: boolean;
+  untrustedSpec?: boolean;
   spec?: any;
 }
 
@@ -101,6 +103,7 @@ export class OptionsService {
     if (isString(this._options.requiredPropsFirst)) this._options.requiredPropsFirst = true;
     if (isString(this._options.noAutoAuth)) this._options.noAutoAuth = true;
     if (isString(this._options.pathInMiddlePanel)) this._options.pathInMiddlePanel = true;
+    if (isString(this._options.untrustedSpec)) this._options.untrustedSpec = true;
     if (isString(this._options.expandResponses)) {
       let str = this._options.expandResponses as string;
       if (str === 'all') return;

lib/utils/pipes.ts

@@ -6,6 +6,7 @@ import { isString, stringify, isBlank } from './helpers';
 import JsonPointer from './JsonPointer';
 import { MdRenderer } from './';
 import { JsonFormatter } from './JsonFormatterPipe';
+import { OptionsService } from '../services/options.service';
 
 declare var Prism: any;
 
@@ -48,18 +49,19 @@ export class JsonPointerEscapePipe implements PipeTransform {
 @Pipe({ name: 'marked' })
 export class MarkedPipe implements PipeTransform {
   renderer: MdRenderer;
-  constructor(private sanitizer: DomSanitizer) {
+  unstrustedSpec: boolean;
+
+  constructor(private sanitizer: DomSanitizer, optionsService: OptionsService) {
     this.renderer = new MdRenderer(true);
+    this.unstrustedSpec = !!optionsService.options.untrustedSpec;
   }
   transform(value:string) {
     if (isBlank(value)) return value;
     if (!isString(value)) {
       throw new InvalidPipeArgumentException(JsonPointerEscapePipe, value);
     }
-
-    return this.sanitizer.bypassSecurityTrustHtml(
-      `<span class="redoc-markdown-block">${this.renderer.renderMd(value)}</span>`
-    );
+    let res = `<span class="redoc-markdown-block">${this.renderer.renderMd(value)}</span>`;
+    return this.unstrustedSpec ? res : this.sanitizer.bypassSecurityTrustHtml(res);
   }
 }