Skip to content

♻️ Refactor logic to handle OpenAPI and Swagger UI escaping data#14986

Merged
tiangolo merged 2 commits intomasterfrom
root-path-html
Feb 24, 2026
Merged

♻️ Refactor logic to handle OpenAPI and Swagger UI escaping data#14986
tiangolo merged 2 commits intomasterfrom
root-path-html

Conversation

@tiangolo
Copy link
Member

♻️ Refactor logic to handle OpenAPI and Swagger UI escaping data

OpenAPI, do not store root_path in servers: the only way this could be a problem is if there was a misconfigured proxy that somehow allowed an attacker client to set x-forwarded-* headers and passed them along. For a proxy (or server) to do this, it normally has to be intentionally/explicitly misconfigured. But again, doesn't hurt to have it there.

Escape Swagger UI configs: I wouldn't consider this really important, the Swagger UI logic takes only data from the same developer building the app, I don't see a feasible scenario where this could be a problem, but probably also doesn't hurt much to have it there.


I received several "security reports" with this, I suspect some automated scanning tool that checks any JSON inside of HTML or similar. I don't consider these security issues, but also think it's probably fine to have these changes.

@codspeed-hq
Copy link

codspeed-hq bot commented Feb 24, 2026

Merging this PR will not alter performance

✅ 20 untouched benchmarks


Comparing root-path-html (c167c04) with master (0cf27ec)1

Open in CodSpeed

Footnotes

  1. No successful run was found on master (2f9c914) during the generation of this report, so 0cf27ec was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

@tiangolo tiangolo marked this pull request as ready for review February 24, 2026 09:11
@tiangolo tiangolo enabled auto-merge (squash) February 24, 2026 09:11
@tiangolo tiangolo merged commit 2686c7f into master Feb 24, 2026
28 checks passed
@tiangolo tiangolo deleted the root-path-html branch February 24, 2026 09:28
YuriiMotov added a commit to YuriiMotov/fastapi that referenced this pull request Feb 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant