Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-03 09:59:43 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-03 09:59:43 +0000
commit: 6aefeb24873b0957456ae0deacbb431fc79a6a28 (patch)
tree: a803343e837f64c2d214a01098fa989097e203cb /app/assets/javascripts
parent: 9d9ee598bc514eaee681b40cdff4d12a3a8f412a (diff)
download: gitlab-ce-6aefeb24873b0957456ae0deacbb431fc79a6a28.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/app/assets/javascripts/blob/openapi/index.js b/app/assets/javascripts/blob/openapi/index.js
index cb251274b18..b19cc19cb8c 100644
--- a/app/assets/javascripts/blob/openapi/index.js
+++ b/app/assets/javascripts/blob/openapi/index.js
@@ -1,5 +1,6 @@
 import { SwaggerUIBundle } from 'swagger-ui-dist';
 import createFlash from '~/flash';
+import { removeParams, updateHistory } from '~/lib/utils/url_utility';
 import { __ } from '~/locale';
 
 export default () => {
@@ -7,9 +8,14 @@ export default () => {
 
   Promise.all([import(/* webpackChunkName: 'openapi' */ 'swagger-ui-dist/swagger-ui.css')])
     .then(() => {
+      // Temporary fix to prevent an XSS attack due to "useUnsafeMarkdown"
+      // Once we upgrade Swagger to "4.0.0", we can safely remove this as it will be deprecated
+      // Follow-up issue: https://gitlab.com/gitlab-org/gitlab/-/issues/339696
+      updateHistory({ url: removeParams(['useUnsafeMarkdown']), replace: true });
       SwaggerUIBundle({
         url: el.dataset.endpoint,
         dom_id: '#js-openapi-viewer',
+        useUnsafeMarkdown: false,
       });
     })
     .catch((error) => {
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-03 09:59:43 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-03 09:59:43 +0000
commit	6aefeb24873b0957456ae0deacbb431fc79a6a28 (patch)
tree	a803343e837f64c2d214a01098fa989097e203cb /app/assets/javascripts
parent	9d9ee598bc514eaee681b40cdff4d12a3a8f412a (diff)
download	gitlab-ce-6aefeb24873b0957456ae0deacbb431fc79a6a28.tar.gz