no-script-tags-in-markdown

Formats:

Severity:

Some tools use JavaScript to render OpenAPI docs. They can be vulnerable to XSS attacks if they render HTML/markdown from descriptions that contain malicious <script> code.

This rule protects against potentially being attacked by malicious code. It’s a really bad idea to execute randomly sourced remote JavaScript from within your own application.

Why did this violation appear?

There is JavaScript code being injected via a <script> tag defined in a description value.

Bad example

paths:
  /snakes/cakes:
    post:
      description: "This is a hack attack. <script>alert('hacked!')</script>";

How do I fix this violation?

Ensure there is no JavaScript or <script/> tags in any description.

Spectral Equivalent

The rule is equivalent to no-script-tags-in-markdown