no-eval-in-markdown

Formats:

Severity:

Some tools use JavaScript to render OpenAPI docs. They can be vulnerable to XSS attacks if they render HTML/markdown from descriptions that contain malicious eval() calls.

Why did this violation appear?

There is JavaScript code using eval() defined in a description value.

Bad example

paths:
  /snakes/cakes:
    post:
      description: "This is a hack attack. eval('alert(\'hacked!\')')";

How do I fix this violation?

Ensure there is no JavaScript or <script/> tags in any description.

Spectral Equivalent

The rule is equivalent to no-eval-in-markdown