Authors:
@adamaltman, Adam Altman (Redocly)@lornajane, Lorna Mitchell (Redocly)
Detects use of <script> tags in Markdown description fields. Since Markdown also supports HTML, if you are bringing APIs in and displaying them then you probably want to be sure that script tags are not included since they can include harmful content.
In redocly.yaml, configure the rule like this:
rules:
rule/no-script-tags-in-markdown:
subject:
type: any
property: description
assertions:
notPattern: '<script'
severity: warn
message: Markdown descriptions should not contain script tags.This will pick up the contents of any description field in an OpenAPI file and warn you with a coherent message if there's a script tag found.
Here's a mini OpenAPI description, with a script tag in the info.description field:
openapi: 3.1.0
info:
title: Great API
description: This is an excellent <script>alert("Tricked you!");</script> API
paths: {}When you lint this OpenAPI file with the rule/no-script-tags-in-markdown rule, you'll see a warning:
Markdown descriptions should not contain script tags.
Inspired by the Spectral rule no-script-tags-in-markdown.