From 559b315d0d997dba0ef14457e0c9de867a586a15 Mon Sep 17 00:00:00 2001
From: Owen Conti <owen@ohseemedia.com>
Date: Sun, 1 Oct 2017 10:30:41 -0600
Subject: [PATCH 1/5] Initial test for Markdown <script> sanitization

---
 package.json                                  |  2 +-
 .../plugins/oas3/wrap-components/markdown.js  | 10 ++++++--
 test/xss/markdown-script-sanitization.js      | 24 +++++++++++++++++++
 3 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 test/xss/markdown-script-sanitization.js

diff --git a/package.json b/package.json
index 6ff63422..eeac00a5 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,7 @@
     "test": "npm run lint-errors && npm run just-test-in-node",
     "test-in-node": "npm run lint-errors && npm run just-test-in-node",
     "just-test": "karma start --config karma.conf.js",
-    "just-test-in-node": "mocha --recursive --compilers js:babel-core/register test/core test/components test/bugs test/swagger-ui-dist-package",
+    "just-test-in-node": "mocha --recursive --compilers js:babel-core/register test/core test/components test/bugs test/swagger-ui-dist-package test/xss",
     "test-e2e": "sleep 3 && nightwatch test/e2e/scenarios/ --config test/e2e/nightwatch.json",
     "e2e-initial-render": "nightwatch test/e2e/scenarios/ --config test/e2e/nightwatch.json --group initial-render",
     "mock-api": "json-server --watch test/e2e/db.json --port 3204",
diff --git a/src/core/plugins/oas3/wrap-components/markdown.js b/src/core/plugins/oas3/wrap-components/markdown.js
index 103a2801..2d7f27e7 100644
--- a/src/core/plugins/oas3/wrap-components/markdown.js
+++ b/src/core/plugins/oas3/wrap-components/markdown.js
@@ -1,10 +1,11 @@
 import React from "react"
+import PropTypes from "prop-types"
 import ReactMarkdown from "react-markdown"
 import { Parser, HtmlRenderer } from "commonmark"
 import { OAS3ComponentWrapFactory } from "../helpers"
 import { sanitizer } from "core/components/providers/markdown"
 
-export default OAS3ComponentWrapFactory(({ source }) => { 
+export const Markdown = ({ source }) => { 
   if ( source ) {
     const parser = new Parser()
     const writer = new HtmlRenderer()
@@ -23,4 +24,9 @@ export default OAS3ComponentWrapFactory(({ source }) => {
     )
   }
   return null
-})
\ No newline at end of file
+}
+Markdown.propTypes = {
+  source: PropTypes.string
+}
+
+export default OAS3ComponentWrapFactory(Markdown)
\ No newline at end of file
diff --git a/test/xss/markdown-script-sanitization.js b/test/xss/markdown-script-sanitization.js
new file mode 100644
index 00000000..4a353316
--- /dev/null
+++ b/test/xss/markdown-script-sanitization.js
@@ -0,0 +1,24 @@
+/* eslint-env mocha */
+import React from "react"
+import expect from "expect"
+import { render } from "enzyme"
+import Markdown from "components/providers/markdown"
+import { Markdown as OAS3Markdown } from "corePlugins/oas3/wrap-components/markdown.js"
+
+describe.only("Markdown Script Sanitization", function() {
+  describe("Swagger 2.0", function() {
+    it("sanitizes <script> elements", function() {
+      const str = `script <script>alert(1)</script>`
+      const el = render(<Markdown source={str} />)
+      expect(el.html()).toEqual(`<div class="markdown"><p>script </p>\n</div>`)
+    })
+  })
+
+  describe("OAS 3", function() {
+    it("sanitizes <script> elements", function() {
+      const str = `script <script>alert(1)</script>`
+      const el = render(<OAS3Markdown source={str} />)
+      expect(el.html()).toEqual(`<div class="renderedMarkdown"><div><p>script </p></div></div>`)
+    })
+  })
+})

From 5a69603beb454a0d15002bfbd82902d9480e27b1 Mon Sep 17 00:00:00 2001
From: Owen Conti <owen@ohseemedia.com>
Date: Sun, 1 Oct 2017 13:59:28 -0600
Subject: [PATCH 2/5] Test for sanitizing <img> elements. Test sanitization of
 the <Info /> component

---
 test/xss/info-sanitization.js            | 33 ++++++++++++++++++++++++
 test/xss/markdown-script-sanitization.js | 12 +++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 test/xss/info-sanitization.js

diff --git a/test/xss/info-sanitization.js b/test/xss/info-sanitization.js
new file mode 100644
index 00000000..6549aa11
--- /dev/null
+++ b/test/xss/info-sanitization.js
@@ -0,0 +1,33 @@
+/* eslint-env mocha */
+import React from "react"
+import expect from "expect"
+import { render } from "enzyme"
+import { fromJS } from "immutable"
+import Info from "components/info"
+import Markdown from "components/providers/markdown"
+
+describe.only("<Info/> Sanitization", function(){
+	const dummyComponent = () => null
+	const components = {
+		Markdown
+	}
+	const props = {
+		getComponent: c => components[c] || dummyComponent,
+		info: fromJS({
+			title: "Test Title **strong** <script>alert(1)</script>",
+			description: "Description *with* <script>Markdown</script>"
+		}),
+		host: "example.test",
+		basePath: "/api"
+	}
+
+	it("renders sanitized .title content", function(){
+		let wrapper = render(<Info {...props}/>)
+		expect(wrapper.find(".title").html()).toEqual("Test Title **strong** &lt;script&gt;alert(1)&lt;/script&gt;")
+	})
+
+	it("renders sanitized .description content", function() {
+		let wrapper = render(<Info {...props}/>)
+		expect(wrapper.find(".description").html()).toEqual("<div class=\"markdown\"><p>Description <em>with</em> </p>\n</div>")
+	})
+})
diff --git a/test/xss/markdown-script-sanitization.js b/test/xss/markdown-script-sanitization.js
index 4a353316..ef374dd7 100644
--- a/test/xss/markdown-script-sanitization.js
+++ b/test/xss/markdown-script-sanitization.js
@@ -12,6 +12,12 @@ describe.only("Markdown Script Sanitization", function() {
       const el = render(<Markdown source={str} />)
       expect(el.html()).toEqual(`<div class="markdown"><p>script </p>\n</div>`)
     })
+
+    it("sanitizes <img> elements", function() {
+      const str = `<img src=x onerror="alert('img-in-description')">`
+      const el = render(<Markdown source={str} />)
+      expect(el.html()).toEqual(`<div class="markdown"><p><img src="x"></p>\n</div>`)
+    })
   })
 
   describe("OAS 3", function() {
@@ -20,5 +26,11 @@ describe.only("Markdown Script Sanitization", function() {
       const el = render(<OAS3Markdown source={str} />)
       expect(el.html()).toEqual(`<div class="renderedMarkdown"><div><p>script </p></div></div>`)
     })
+
+    it("sanitizes <img> elements", function() {
+      const str = `<img src=x onerror="alert('img-in-description')">`
+      const el = render(<OAS3Markdown source={str} />)
+      expect(el.html()).toEqual(`<div class="renderedMarkdown"><div><img src="x"></div></div>`)
+    })
   })
 })

From 729fd71546a156ebb66346f63078d9771c1bda8d Mon Sep 17 00:00:00 2001
From: Owen Conti <owen@ohseemedia.com>
Date: Sun, 8 Oct 2017 09:09:29 -0600
Subject: [PATCH 3/5] Fixes #3734

Add <h1> and <h2> elements to sanitizer options.
---
 src/core/components/providers/markdown.jsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/core/components/providers/markdown.jsx b/src/core/components/providers/markdown.jsx
index 2b21c10b..ef95c6ae 100644
--- a/src/core/components/providers/markdown.jsx
+++ b/src/core/components/providers/markdown.jsx
@@ -29,7 +29,7 @@ Markdown.propTypes = {
 export default Markdown
 
 const sanitizeOptions = {
-    allowedTags: sanitize.defaults.allowedTags.concat([ "img" ]),
+    allowedTags: sanitize.defaults.allowedTags.concat([ "h1", "h2", "img" ]),
     textFilter: function(text) {
         return text.replace(/&quot;/g, "\"")
     }

From 1785d48746274f7e6d9727b2edb7ae0920caaab0 Mon Sep 17 00:00:00 2001
From: Owen Conti <owen@ohseemedia.com>
Date: Sun, 8 Oct 2017 10:13:09 -0600
Subject: [PATCH 4/5] Remove .only from existing tests. Add markdown test cases
 for heading elements.

---
 test/components/markdown.js              | 38 ++++++++++++++++++++++++
 test/xss/info-sanitization.js            |  2 +-
 test/xss/markdown-script-sanitization.js |  2 +-
 3 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 test/components/markdown.js

diff --git a/test/components/markdown.js b/test/components/markdown.js
new file mode 100644
index 00000000..6dd87053
--- /dev/null
+++ b/test/components/markdown.js
@@ -0,0 +1,38 @@
+/* eslint-env mocha */
+import React from "react"
+import expect from "expect"
+import { render } from "enzyme"
+import Markdown from "components/providers/markdown"
+import { Markdown as OAS3Markdown } from "corePlugins/oas3/wrap-components/markdown.js"
+
+describe.only("Markdown component", function() {
+  describe("Swagger 2.0", function() {
+    it("allows heading elements", function() {
+      const str = `
+# h1
+## h2
+### h3
+#### h4
+##### h5
+###### h6
+      `
+      const el = render(<Markdown source={str} />)
+      expect(el.html()).toEqual(`<div class="markdown"><h1>h1</h1>\n<h2>h2</h2>\n<h3>h3</h3>\n<h4>h4</h4>\n<h5>h5</h5>\n<h6>h6</h6>\n</div>`)
+    })
+  })
+
+  describe("OAS 3", function() {
+    it("allows heading elements", function() {
+        const str = `
+  # h1
+  ## h2
+  ### h3
+  #### h4
+  ##### h5
+  ###### h6
+        `
+        const el = render(<OAS3Markdown source={str} />)
+        expect(el.html()).toEqual(`<div class="renderedMarkdown"><div><h1>h1</h1>\n<h2>h2</h2>\n<h3>h3</h3>\n<h4>h4</h4>\n<h5>h5</h5>\n<h6>h6</h6></div></div>`)
+      })
+  })
+})
diff --git a/test/xss/info-sanitization.js b/test/xss/info-sanitization.js
index 6549aa11..e868fe9f 100644
--- a/test/xss/info-sanitization.js
+++ b/test/xss/info-sanitization.js
@@ -6,7 +6,7 @@ import { fromJS } from "immutable"
 import Info from "components/info"
 import Markdown from "components/providers/markdown"
 
-describe.only("<Info/> Sanitization", function(){
+describe("<Info/> Sanitization", function(){
 	const dummyComponent = () => null
 	const components = {
 		Markdown
diff --git a/test/xss/markdown-script-sanitization.js b/test/xss/markdown-script-sanitization.js
index ef374dd7..9d6624c7 100644
--- a/test/xss/markdown-script-sanitization.js
+++ b/test/xss/markdown-script-sanitization.js
@@ -5,7 +5,7 @@ import { render } from "enzyme"
 import Markdown from "components/providers/markdown"
 import { Markdown as OAS3Markdown } from "corePlugins/oas3/wrap-components/markdown.js"
 
-describe.only("Markdown Script Sanitization", function() {
+describe("Markdown Script Sanitization", function() {
   describe("Swagger 2.0", function() {
     it("sanitizes <script> elements", function() {
       const str = `script <script>alert(1)</script>`

From 60e8091eedde05244a1d8c498b5f85f7390ed9af Mon Sep 17 00:00:00 2001
From: Owen Conti <owen@ohseemedia.com>
Date: Sun, 8 Oct 2017 10:26:32 -0600
Subject: [PATCH 5/5] Add unit test for images in markdown

---
 src/core/components/providers/markdown.jsx |  3 ++
 test/components/markdown.js                | 56 +++++++++++++---------
 2 files changed, 36 insertions(+), 23 deletions(-)

diff --git a/src/core/components/providers/markdown.jsx b/src/core/components/providers/markdown.jsx
index ef95c6ae..2ef8b6a6 100644
--- a/src/core/components/providers/markdown.jsx
+++ b/src/core/components/providers/markdown.jsx
@@ -30,6 +30,9 @@ export default Markdown
 
 const sanitizeOptions = {
     allowedTags: sanitize.defaults.allowedTags.concat([ "h1", "h2", "img" ]),
+    allowedAttributes: {
+        "img": sanitize.defaults.allowedAttributes.img.concat(["title"])
+    },
     textFilter: function(text) {
         return text.replace(/&quot;/g, "\"")
     }
diff --git a/test/components/markdown.js b/test/components/markdown.js
index 6dd87053..01a55e1c 100644
--- a/test/components/markdown.js
+++ b/test/components/markdown.js
@@ -5,34 +5,44 @@ import { render } from "enzyme"
 import Markdown from "components/providers/markdown"
 import { Markdown as OAS3Markdown } from "corePlugins/oas3/wrap-components/markdown.js"
 
-describe.only("Markdown component", function() {
-  describe("Swagger 2.0", function() {
-    it("allows heading elements", function() {
-      const str = `
+describe("Markdown component", function() {
+    describe("Swagger 2.0", function() {
+        it("allows image elements", function() {
+            const str = `![Image alt text](http://image.source "Image title")`
+            const el = render(<Markdown source={str} />)
+            expect(el.html()).toEqual(`<div class="markdown"><p><img src="http://image.source" title="Image title"></p>\n</div>`)
+        })
+
+        it("allows heading elements", function() {
+            const str = `
 # h1
 ## h2
 ### h3
 #### h4
 ##### h5
-###### h6
-      `
-      const el = render(<Markdown source={str} />)
-      expect(el.html()).toEqual(`<div class="markdown"><h1>h1</h1>\n<h2>h2</h2>\n<h3>h3</h3>\n<h4>h4</h4>\n<h5>h5</h5>\n<h6>h6</h6>\n</div>`)
+###### h6`
+            const el = render(<Markdown source={str} />)
+            expect(el.html()).toEqual(`<div class="markdown"><h1>h1</h1>\n<h2>h2</h2>\n<h3>h3</h3>\n<h4>h4</h4>\n<h5>h5</h5>\n<h6>h6</h6>\n</div>`)
+        })
     })
-  })
 
-  describe("OAS 3", function() {
-    it("allows heading elements", function() {
-        const str = `
-  # h1
-  ## h2
-  ### h3
-  #### h4
-  ##### h5
-  ###### h6
-        `
-        const el = render(<OAS3Markdown source={str} />)
-        expect(el.html()).toEqual(`<div class="renderedMarkdown"><div><h1>h1</h1>\n<h2>h2</h2>\n<h3>h3</h3>\n<h4>h4</h4>\n<h5>h5</h5>\n<h6>h6</h6></div></div>`)
-      })
-  })
+    describe("OAS 3", function() {
+        it("allows image elements", function() {
+            const str = `![Image alt text](http://image.source "Image title")`
+            const el = render(<OAS3Markdown source={str} />)
+            expect(el.html()).toEqual(`<div class="renderedMarkdown"><div><p><img src="http://image.source" title="Image title"></p></div></div>`)
+        })
+
+        it("allows heading elements", function() {
+            const str = `
+# h1
+## h2
+### h3
+#### h4
+##### h5
+###### h6`
+            const el = render(<OAS3Markdown source={str} />)
+            expect(el.html()).toEqual(`<div class="renderedMarkdown"><div><h1>h1</h1>\n<h2>h2</h2>\n<h3>h3</h3>\n<h4>h4</h4>\n<h5>h5</h5>\n<h6>h6</h6></div></div>`)
+        })
+    })
 })