• GitHub GitHub Repo stars
  • Discord Discord Server
  • Recommended


    Formats: Severity:

    Some tools use JavaScript to render OpenAPI docs. They can be vulnerable to XSS attacks if they render HTML/markdown from descriptions that contain malicious eval() calls.

    Why did this violation appear?

    There is JavaScript code using eval() defined in a description value.

    Bad example

          description: "This is a hack attack. eval('alert(\'hacked!\')')";

    How do I fix this violation?

    Ensure there is no JavaScript or <script/> tags in any description.

    Spectral Equivalent

    The rule is equivalent to no-eval-in-markdown