Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-07 06:12:22 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-07 06:12:22 +0300
commit: 6a5b78ac6945c0b0cd42293f11c94c2b3750fddc (patch)
tree: 766f1d511d9737437d9f7e2b24f41c6887bf2229 /app/assets/javascripts/blob
parent: ec6dd14345a117d1ff4db3b0b19a1c0fa4c7e61b (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/app/assets/javascripts/blob/openapi/index.js b/app/assets/javascripts/blob/openapi/index.js
index cb251274b18..b19cc19cb8c 100644
--- a/app/assets/javascripts/blob/openapi/index.js
+++ b/app/assets/javascripts/blob/openapi/index.js
@@ -1,5 +1,6 @@
 import { SwaggerUIBundle } from 'swagger-ui-dist';
 import createFlash from '~/flash';
+import { removeParams, updateHistory } from '~/lib/utils/url_utility';
 import { __ } from '~/locale';
 
 export default () => {
@@ -7,9 +8,14 @@ export default () => {
 
   Promise.all([import(/* webpackChunkName: 'openapi' */ 'swagger-ui-dist/swagger-ui.css')])
     .then(() => {
+      // Temporary fix to prevent an XSS attack due to "useUnsafeMarkdown"
+      // Once we upgrade Swagger to "4.0.0", we can safely remove this as it will be deprecated
+      // Follow-up issue: https://gitlab.com/gitlab-org/gitlab/-/issues/339696
+      updateHistory({ url: removeParams(['useUnsafeMarkdown']), replace: true });
       SwaggerUIBundle({
         url: el.dataset.endpoint,
         dom_id: '#js-openapi-viewer',
+        useUnsafeMarkdown: false,
       });
     })
     .catch((error) => {
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-07 06:12:22 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-07 06:12:22 +0300
commit	6a5b78ac6945c0b0cd42293f11c94c2b3750fddc (patch)
tree	766f1d511d9737437d9f7e2b24f41c6887bf2229 /app/assets/javascripts/blob
parent	ec6dd14345a117d1ff4db3b0b19a1c0fa4c7e61b (diff)