FAQ

  • GitHub GitHub Repo stars
  • Discord Discord Server
  • ✨ New! Try the OpenAPI Doctor ✨ The OpenAPI Doctor
    Recommended

    no-eval-in-markdown


    Formats: Severity:

    Some tools use JavaScript to render OpenAPI docs. They can be vulnerable to XSS attacks if they render HTML/markdown from descriptions that contain malicious eval() calls.

    Why did this violation appear?

    There is JavaScript code using eval() defined in a description value.

    Bad example

    paths:
      /snakes/cakes:
        post:
          description: "This is a hack attack. eval('alert(\'hacked!\')')";
    

    How do I fix this violation?

    Ensure there is no JavaScript or <script/> tags in any description.

    Spectral Equivalent

    The rule is equivalent to no-eval-in-markdown