@orpc/openapi 1.13.8 → 1.13.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/README.md +3 -3
  2. package/dist/plugins/index.d.mts +2 -0
  3. package/dist/plugins/index.d.ts +2 -0
  4. package/dist/plugins/index.mjs +19 -10
  5. package/package.json +8 -8
package/README.md CHANGED
@@ -116,7 +116,6 @@ If you find oRPC valuable and would like to support its development, you can do
116
116
  <table>
117
117
  <tr>
118
118
  <td align="center"><a href="https://misskey.io/?ref=orpc" target="_blank" rel="noopener" title="村上さん"><img src="https://avatars.githubusercontent.com/u/37681609?u=0dd4c7e4ba937cbb52b068c55914b1d8164dc0c7&amp;v=4" width="167" alt="村上さん"/><br />村上さん</a></td>
119
- <td align="center"><a href="https://valerii15298.github.io/?ref=orpc" target="_blank" rel="noopener" title="Valerii Petryniak"><img src="https://avatars.githubusercontent.com/u/44531564?u=88ac74d9bacd20401518441907acad21063cd397&amp;v=4" width="167" alt="Valerii Petryniak"/><br />Valerii Petryniak</a></td>
120
119
  <td align="center"><a href="https://github.com/christ12938?ref=orpc" target="_blank" rel="noopener" title="christ12938"><img src="https://avatars.githubusercontent.com/u/25758598?v=4" width="167" alt="christ12938"/><br />christ12938</a></td>
121
120
  </tr>
122
121
  </table>
@@ -134,16 +133,16 @@ If you find oRPC valuable and would like to support its development, you can do
134
133
  <table>
135
134
  <tr>
136
135
  <td align="center"><a href="https://github.com/hrmcdonald?ref=orpc" target="_blank" rel="noopener" title="Reece McDonald"><img src="https://avatars.githubusercontent.com/u/39349270?v=4" width="119" alt="Reece McDonald"/><br />Reece McDonald</a></td>
137
- <td align="center"><a href="https://github.com/Scrumplex?ref=orpc" target="_blank" rel="noopener" title="Sefa Eyeoglu"><img src="https://avatars.githubusercontent.com/u/11587657?u=ab503582165c0bbff0cca47ce31c9450bb1553c9&amp;v=4" width="119" alt="Sefa Eyeoglu"/><br />Sefa Eyeoglu</a></td>
138
136
  <td align="center"><a href="https://github.com/u1-liquid?ref=orpc" target="_blank" rel="noopener" title="あわわわとーにゅ"><img src="https://avatars.githubusercontent.com/u/17376330?u=de3353804be889f009f7e0a1582daf04d0ab292d&amp;v=4" width="119" alt="あわわわとーにゅ"/><br />あわわわとーにゅ</a></td>
139
137
  <td align="center"><a href="https://github.com/nicognaW?ref=orpc" target="_blank" rel="noopener" title="nk"><img src="https://avatars.githubusercontent.com/u/66731869?u=4699bda3a9092d3ec34fbd959450767bcc8b8b6d&amp;v=4" width="119" alt="nk"/><br />nk</a></td>
140
138
  <td align="center"><a href="https://github.com/supastarter?ref=orpc" target="_blank" rel="noopener" title="supastarter"><img src="https://avatars.githubusercontent.com/u/110960143?v=4" width="119" alt="supastarter"/><br />supastarter</a></td>
141
139
  <td align="center"><a href="https://github.com/divmgl?ref=orpc" target="_blank" rel="noopener" title="Dexter Miguel"><img src="https://avatars.githubusercontent.com/u/5452298?u=645993204be8696c085ecf0d228c3062efe2ed65&amp;v=4" width="119" alt="Dexter Miguel"/><br />Dexter Miguel</a></td>
142
140
  <td align="center"><a href="https://github.com/herrfugbaum?ref=orpc" target="_blank" rel="noopener" title="herrfugbaum"><img src="https://avatars.githubusercontent.com/u/12859776?u=644dc1666d0220bc0468eb0de3c56b919f635b16&amp;v=4" width="119" alt="herrfugbaum"/><br />herrfugbaum</a></td>
141
+ <td align="center"><a href="https://github.com/ryota-murakami?ref=orpc" target="_blank" rel="noopener" title="Ryota Murakami"><img src="https://avatars.githubusercontent.com/u/5501268?u=599389e03340734325726ca3f8f423c021d47d7f&amp;v=4" width="119" alt="Ryota Murakami"/><br />Ryota Murakami</a></td>
143
142
  </tr>
144
143
  <tr>
145
- <td align="center"><a href="https://github.com/ryota-murakami?ref=orpc" target="_blank" rel="noopener" title="Ryota Murakami"><img src="https://avatars.githubusercontent.com/u/5501268?u=599389e03340734325726ca3f8f423c021d47d7f&amp;v=4" width="119" alt="Ryota Murakami"/><br />Ryota Murakami</a></td>
146
144
  <td align="center"><a href="https://github.com/dcramer?ref=orpc" target="_blank" rel="noopener" title="David Cramer"><img src="https://avatars.githubusercontent.com/u/23610?v=4" width="119" alt="David Cramer"/><br />David Cramer</a></td>
145
+ <td align="center"><a href="https://github.com/valerii15298?ref=orpc" target="_blank" rel="noopener" title="Valerii Petryniak"><img src="https://avatars.githubusercontent.com/u/44531564?u=88ac74d9bacd20401518441907acad21063cd397&amp;v=4" width="119" alt="Valerii Petryniak"/><br />Valerii Petryniak</a></td>
147
146
  <td align="center"><a href="https://github.com/happyboy2022?ref=orpc" target="_blank" rel="noopener" title="happyboy"><img src="https://avatars.githubusercontent.com/u/103669586?u=65b49c4b893ed3703909fbb3a7a22313f3f9c121&amp;v=4" width="119" alt="happyboy"/><br />happyboy</a></td>
148
147
  <td align="center"><a href="https://github.com/letstri?ref=orpc" target="_blank" rel="noopener" title="Valerii Strilets"><img src="https://avatars.githubusercontent.com/u/13253748?u=c7b10399ccc8f8081e24db94ec32cd9858e86ac3&amp;v=4" width="119" alt="Valerii Strilets"/><br />Valerii Strilets</a></td>
149
148
  <td align="center"><a href="https://github.com/K-Mistele?ref=orpc" target="_blank" rel="noopener" title="Kyle Mistele"><img src="https://avatars.githubusercontent.com/u/18430555?u=3afebeb81de666e35aaac3ed46f14159d7603ffb&amp;v=4" width="119" alt="Kyle Mistele"/><br />Kyle Mistele</a></td>
@@ -207,6 +206,7 @@ If you find oRPC valuable and would like to support its development, you can do
207
206
  <a href="https://github.com/NovakAnton?ref=orpc" target="_blank" rel="noopener" title="Novak Antonijevic"><img src="https://avatars.githubusercontent.com/u/157126729?u=ae49fa22292d55c0434ff0ca008206155b18663b&amp;v=4" width="32" height="32" alt="Novak Antonijevic" /></a>
208
207
  <a href="https://github.com/laduniestu?ref=orpc" target="_blank" rel="noopener" title="Laduni Estu Syalwa"><img src="https://avatars.githubusercontent.com/u/44757637?u=a2fc1ea8f7d827a96721176f79d30592d1c48059&amp;v=4" width="32" height="32" alt="Laduni Estu Syalwa" /></a>
209
208
  <a href="https://github.com/illarionvk?ref=orpc" target="_blank" rel="noopener" title="Illarion Koperski"><img src="https://avatars.githubusercontent.com/u/5012724?u=7cfa13652f7ac5fb3c56d880e3eb3fbe40c3ea34&amp;v=4" width="32" height="32" alt="Illarion Koperski" /></a>
209
+ <a href="https://github.com/Scrumplex?ref=orpc" target="_blank" rel="noopener" title="Sefa Eyeoglu"><img src="https://avatars.githubusercontent.com/u/11587657?u=ab503582165c0bbff0cca47ce31c9450bb1553c9&amp;v=4" width="32" height="32" alt="Sefa Eyeoglu" /></a>
210
210
  </p>
211
211
 
212
212
  ## License
package/dist/plugins/index.d.mts CHANGED
@@ -43,6 +43,8 @@ interface OpenAPIReferencePluginOptions<T extends Context> extends OpenAPIGenera
43
43
  /**
44
44
  * HTML to inject into the <head> of the docs page.
45
45
  *
46
+ * @warning This is not escaped special characters, so must be used with caution to avoid XSS vulnerabilities.
47
+ *
46
48
  * @default ''
47
49
  */
48
50
  docsHead?: Value<Promisable<string>, [StandardHandlerInterceptorOptions<T>]>;
package/dist/plugins/index.d.ts CHANGED
@@ -43,6 +43,8 @@ interface OpenAPIReferencePluginOptions<T extends Context> extends OpenAPIGenera
43
43
  /**
44
44
  * HTML to inject into the <head> of the docs page.
45
45
  *
46
+ * @warning This is not escaped special characters, so must be used with caution to avoid XSS vulnerabilities.
47
+ *
46
48
  * @default ''
47
49
  */
48
50
  docsHead?: Value<Promisable<string>, [StandardHandlerInterceptorOptions<T>]>;
package/dist/plugins/index.mjs CHANGED
@@ -30,7 +30,8 @@ class OpenAPIReferencePlugin {
30
30
  this.docsHead = options.docsHead ?? "";
31
31
  this.specPath = options.specPath ?? "/spec.json";
32
32
  this.generator = new OpenAPIGenerator(options);
33
- const esc = (s) => s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
33
+ const escapeHtmlEntities = (s) => s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
34
+ const escapeJsonForHtml = (obj) => stringifyJSON(obj).replace(/&/g, "\\u0026").replace(/'/g, "\\u0027").replace(/</g, "\\u003C").replace(/>/g, "\\u003E").replace(/\//g, "\\u002F");
34
35
  this.renderDocsHtml = options.renderDocsHtml ?? ((specUrl, title, head, scriptUrl, config, spec, docsProvider, cssUrl) => {
35
36
  let body;
36
37
  if (docsProvider === "swagger") {
@@ -51,11 +52,15 @@ class OpenAPIReferencePlugin {
51
52
  <body>
52
53
  <div id="app"></div>
53
54
 
54
- <script src="${esc(scriptUrl)}"><\/script>
55
+ <script src="${escapeHtmlEntities(scriptUrl)}"><\/script>
55
56
 
57
+ <!-- IMPORTANT: assign to a variable first to prevent ), ( in values breaking the call expression. -->
58
+ <!-- IMPORTANT: escapeJsonForHtml ensures <, > cannot terminate the <\/script> tag prematurely. -->
56
59
  <script>
60
+ const swaggerConfig = ${escapeJsonForHtml(swaggerConfig).replace(/"(SwaggerUIBundle\.[^"]+)"/g, "$1")}
61
+
57
62
  window.onload = () => {
58
- window.ui = SwaggerUIBundle(${stringifyJSON(swaggerConfig).replace(/"(SwaggerUIBundle\.[^"]+)"/g, "$1")})
63
+ window.ui = SwaggerUIBundle(swaggerConfig)
59
64
  }
60
65
  <\/script>
61
66
  </body>
@@ -67,12 +72,16 @@ class OpenAPIReferencePlugin {
67
72
  };
68
73
  body = `
69
74
  <body>
70
- <div id="app" data-config="${esc(stringifyJSON(scalarConfig))}"></div>
71
-
72
- <script src="${esc(scriptUrl)}"><\/script>
73
-
75
+ <div id="app"></div>
76
+
77
+ <script src="${escapeHtmlEntities(scriptUrl)}"><\/script>
78
+
79
+ <!-- IMPORTANT: assign to a variable first to prevent ), ( in values breaking the call expression. -->
80
+ <!-- IMPORTANT: escapeJsonForHtml ensures <, > cannot terminate the <\/script> tag prematurely. -->
74
81
  <script>
75
- Scalar.createApiReference('#app', JSON.parse(document.getElementById('app').dataset.config))
82
+ const scalarConfig = ${escapeJsonForHtml(scalarConfig)}
83
+
84
+ Scalar.createApiReference('#app', scalarConfig)
76
85
  <\/script>
77
86
  </body>
78
87
  `;
@@ -83,8 +92,8 @@ class OpenAPIReferencePlugin {
83
92
  <head>
84
93
  <meta charset="utf-8" />
85
94
  <meta name="viewport" content="width=device-width, initial-scale=1" />
86
- <title>${esc(title)}</title>
87
- ${cssUrl ? `<link rel="stylesheet" type="text/css" href="${esc(cssUrl)}" />` : ""}
95
+ <title>${escapeHtmlEntities(title)}</title>
96
+ ${cssUrl ? `<link rel="stylesheet" type="text/css" href="${escapeHtmlEntities(cssUrl)}" />` : ""}
88
97
  ${head}
89
98
  </head>
90
99
  ${body}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@orpc/openapi",
3
3
  "type": "module",
4
- "version": "1.13.8",
4
+ "version": "1.13.10",
5
5
  "license": "MIT",
6
6
  "homepage": "https://orpc.dev",
7
7
  "repository": {
@@ -55,13 +55,13 @@
55
55
  "dependencies": {
56
56
  "json-schema-typed": "^8.0.2",
57
57
  "rou3": "^0.7.12",
58
- "@orpc/client": "1.13.8",
59
- "@orpc/contract": "1.13.8",
60
- "@orpc/server": "1.13.8",
61
- "@orpc/openapi-client": "1.13.8",
62
- "@orpc/shared": "1.13.8",
63
- "@orpc/standard-server": "1.13.8",
64
- "@orpc/interop": "1.13.8"
58
+ "@orpc/contract": "1.13.10",
59
+ "@orpc/client": "1.13.10",
60
+ "@orpc/interop": "1.13.10",
61
+ "@orpc/openapi-client": "1.13.10",
62
+ "@orpc/server": "1.13.10",
63
+ "@orpc/shared": "1.13.10",
64
+ "@orpc/standard-server": "1.13.10"
65
65
  },
66
66
  "devDependencies": {
67
67
  "fastify": "^5.8.2",