diff --git a/Application/EdFi.Ods.SwaggerUI/Resources/Swashbuckle_index.html b/Application/EdFi.Ods.SwaggerUI/Resources/Swashbuckle_index.html index ed9ebc788..cab965b1a 100644 --- a/Application/EdFi.Ods.SwaggerUI/Resources/Swashbuckle_index.html +++ b/Application/EdFi.Ods.SwaggerUI/Resources/Swashbuckle_index.html @@ -1,4 +1,4 @@ - + @@ -80,6 +80,30 @@ configObject.presets = [SwaggerUIBundle.presets.apis, SwaggerUIStandalonePreset]; configObject.layout = "StandaloneLayout"; + configObject.plugins = [function UrlParamDisablePlugin() { + return { + statePlugins: { + spec: { + wrapActions: { + // Workaround listed in https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx + // Remove ?url and ?configUrl parameters from loading an external URLs. + updateUrl: (oriAction) => (payload) => { + const url = new URL(window.location.href) + if (url.searchParams.has('configUrl')) { + url.searchParams.delete('configUrl') + window.location.replace(url.toString()) + } + if (url.searchParams.has('url')) { + url.searchParams.delete('url') + window.location.replace(url.toString()) + } + return oriAction(payload) + } + } + } + } + } + }]; // Begin Swagger UI call region const ui = SwaggerUIBundle(configObject);