Upgrade swagger-ui to solve XSS issues

This update fixes various styling leaks and prevents data-* attributes from being respected when specified inside user-generated content.

Upgrade swagger-ui to solve XSS issues
This update fixes various styling leaks and prevents data-* attributes from being respected when specified inside user-generated content.
370a0dc6 · Nick Thomas · 60ba024c · 370a0dc6 · 370a0dc6 · 370a0dc6
Commit 370a0dc6 authored Jun 15, 2020 by Nick Thomas
Showing with 10 additions and 5 deletions

changelogs/unreleased/security-208685-fix-swagger-ui-xss.yml changelogs/unreleased/security-208685-fix-swagger-ui-xss.yml +5 -0

package.json package.json +1 -1

yarn.lock yarn.lock +4 -4

No files found.
--- a/changelogs/unreleased/security-208685-fix-swagger-ui-xss.yml
+++ b/changelogs/unreleased/security-208685-fix-swagger-ui-xss.yml
+---
+title: Upgrade swagger-ui to solve XSS issues
+merge_request:
+author:
+type: security
--- a/package.json
+++ b/package.json
@@ -126,7 +126,7 @@
    "string-hash": "1.1.3",
    "style-loader": "^1.1.3",
    "svg4everybody": "2.1.9",
-    "swagger-ui-dist": "^3.24.3",
+    "swagger-ui-dist": "^3.26.2",
    "three": "^0.84.0",
    "three-orbit-controls": "^82.1.0",
    "three-stl-loader": "^1.0.4",

--- a/yarn.lock
+++ b/yarn.lock
@@ -11005,10 +11005,10 @@ svg4everybody@2.1.9:
  resolved "https://registry.yarnpkg.com/svg4everybody/-/svg4everybody-2.1.9.tgz#5bd9f6defc133859a044646d4743fabc28db7e2d"
  integrity sha1-W9n23vwTOFmgRGRtR0P6vCjbfi0=

-swagger-ui-dist@^3.24.3:
-  version "3.24.3"
-  resolved "https://registry.yarnpkg.com/swagger-ui-dist/-/swagger-ui-dist-3.24.3.tgz#99754d11b0ddd314a1a50db850acb415e4b0a0c6"
-  integrity sha512-kB8qobP42Xazaym7sD9g5mZuRL4416VIIYZMqPEIskkzKqbPLQGEiHA3ga31bdzyzFLgr6Z797+6X1Am6zYpbg==
+swagger-ui-dist@^3.26.2:
+  version "3.26.2"
+  resolved "https://registry.yarnpkg.com/swagger-ui-dist/-/swagger-ui-dist-3.26.2.tgz#22c700906c8911b1c9956da6c3fca371dba6219f"
+  integrity sha512-cpR3A9uEs95gGQSaIXgiTpnetIifTF1u2a0fWrnVl+HyLpCdHVgOy7FGlVD1iVkts7AE5GOiGjA7VyDNiRaNgw==

 symbol-observable@^1.0.2:
  version "1.2.0"