Cross-site-scripting (XSS) possible

[LuigiAlice]

Problem

If there are Javascript code snippets in some fields of the specification, it gets executed.
This leads to XSS attacks.

Example

Spec:

openapi: '3.0.3'
info:
  title: "Hello"
  version: 1.0.4
  description: "script injection here we go: <img src=a onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,103,67,111,108,111,114,61,34,35,97,97,48,48,48,48,34,59,10,99,111,110,115,111,108,101,46,108,111,103,40,34,116,104,105,115,32,112,97,103,101,32,105,115,32,104,97,99,107,101,100,44,32,97,110,100,32,119,101,32,99,97,110,32,101,120,101,99,117,116,101,32,97,110,121,32,106,115,32,99,111,100,101,32,119,101,32,108,105,107,101,34,41,59,10,97,108,101,114,116,40,39,104,97,99,107,101,100,32,99,111,111,107,105,101,115,58,32,39,32,43,32,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59))> "

When you inject JS code in the description property of info, you will get a message box displayed.

Expectation

I would expect to filter out that Javascript or convert it to be shown as plain text.
Please check, if other fields are vulnerable as well.

[LuigiAlice]

Thx for the fix. When does it get released?

[pboth1304]

Since this could be exploited by others, it would be really helpful if you could prioritize and release a fix soon. Addressing this quickly will help to make our application (and others) more secure. Thanks in advance!