• GitHub GitHub Repo stars
  • Discord Discord Server
  • Recommended


    Formats: Severity:

    Some tools use JavaScript to render OpenAPI docs. They can be vulnerable to XSS attacks if they render HTML/markdown from descriptions that contain malicious <script> code.

    This rule protects against potentially being attacked by malicious code. It’s a really bad idea to execute randomly sourced remote JavaScript from within your own application.

    Why did this violation appear?

    There is JavaScript code being injected via a <script> tag defined in a description value.

    Bad example

          description: "This is a hack attack. <script>alert('hacked!')</script>";

    How do I fix this violation?

    Ensure there is no JavaScript or <script/> tags in any description.

    Spectral Equivalent

    The rule is equivalent to no-script-tags-in-markdown