better code injection handling for js

modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavascriptClientCodegen.java

@@ -240,21 +240,21 @@ public class JavascriptClientCodegen extends DefaultCodegen implements CodegenCo
             Info info = swagger.getInfo();
             if (StringUtils.isBlank(projectName) && info.getTitle() != null) {
                 // when projectName is not specified, generate it from info.title
-                projectName = dashize(info.getTitle());
+                projectName = sanitizeName(dashize(info.getTitle()));
             }
             if (StringUtils.isBlank(projectVersion)) {
                 // when projectVersion is not specified, use info.version
-                projectVersion = info.getVersion();
+                projectVersion = escapeUnsafeCharacters(escapeQuotationMark(info.getVersion()));
             }
             if (projectDescription == null) {
                 // when projectDescription is not specified, use info.description
-                projectDescription = info.getDescription();
+                projectDescription = sanitizeName(info.getDescription());
             }
             if (additionalProperties.get(PROJECT_LICENSE_NAME) == null) {
                 // when projectLicense is not specified, use info.license
                 if (info.getLicense() != null) {
                     License license = info.getLicense();
-                    additionalProperties.put(PROJECT_LICENSE_NAME, license.getName());
+                    additionalProperties.put(PROJECT_LICENSE_NAME, sanitizeName(license.getName()));
                 }
             }
         }
@@ -1032,4 +1032,16 @@ public class JavascriptClientCodegen extends DefaultCodegen implements CodegenCo
         }
     }
 
+
+    @Override
+    public String escapeQuotationMark(String input) {
+        // remove ', " to avoid code injection
+        return input.replace("\"", "").replace("'", "");
+    }
+
+    @Override
+    public String escapeUnsafeCharacters(String input) {
+        return input.replace("*/", "");
+    }
+
 }

modules/swagger-codegen/src/main/resources/Javascript/api.mustache

@@ -2,41 +2,41 @@
 {{=< >=}}(function(root, factory) {
   if (typeof define === 'function' && define.amd) {
     // AMD. Register as an anonymous module.
-    define(['<#invokerPackage><invokerPackage>/</invokerPackage>ApiClient'<#imports>, '<#invokerPackage><invokerPackage>/</invokerPackage><#modelPackage><modelPackage>/</modelPackage><import>'</imports>], factory);
+    define(['<#invokerPackage><&invokerPackage>/</invokerPackage>ApiClient'<#imports>, '<#invokerPackage><&invokerPackage>/</invokerPackage><#modelPackage><&modelPackage>/</modelPackage><import>'</imports>], factory);
   } else if (typeof module === 'object' && module.exports) {
     // CommonJS-like environments that support module.exports, like Node.
-    module.exports = factory(require('../ApiClient')<#imports>, require('../<#modelPackage><modelPackage>/</modelPackage><import>')</imports>);
+    module.exports = factory(require('../ApiClient')<#imports>, require('../<#modelPackage><&modelPackage>/</modelPackage><import>')</imports>);
   } else {
     // Browser globals (root is window)
-    if (!root.<moduleName>) {
-      root.<moduleName> = {};
+    if (!root.<&moduleName>) {
+      root.<&moduleName> = {};
     }
-    root.<moduleName>.<classname> = factory(root.<moduleName>.ApiClient<#imports>, root.<moduleName>.<import></imports>);
+    root.<&moduleName>.<&classname> = factory(root.<&moduleName>.ApiClient<#imports>, root.<&moduleName>.<import></imports>);
   }
 }(this, function(ApiClient<#imports>, <import></imports>) {
   'use strict';
 
 <#emitJSDoc>  /**
    * <baseName> service.
-   * @module <#invokerPackage><invokerPackage>/</invokerPackage><#apiPackage><apiPackage>/</apiPackage><classname>
+   * @module <#invokerPackage><&invokerPackage>/</invokerPackage><#apiPackage><&apiPackage>/</apiPackage><classname>
    * @version <projectVersion>
    */
 
   /**
-   * Constructs a new <classname>. <#description>
+   * Constructs a new <&classname>. <#description>
    * <description></description>
-   * @alias module:<#invokerPackage><invokerPackage>/</invokerPackage><#apiPackage><apiPackage>/</apiPackage><classname>
+   * @alias module:<#invokerPackage><&invokerPackage>/</invokerPackage><#apiPackage><apiPackage>/</apiPackage><classname>
    * @class
-   * @param {module:<#invokerPackage><invokerPackage>/</invokerPackage>ApiClient} apiClient Optional API client implementation to use,
-   * default to {@link module:<#invokerPackage><invokerPackage>/</invokerPackage>ApiClient#instance} if unspecified.
+   * @param {module:<#invokerPackage><&invokerPackage>/</invokerPackage>ApiClient} apiClient Optional API client implementation to use,
+   * default to {@link module:<#invokerPackage><&invokerPackage>/</invokerPackage>ApiClient#instance} if unspecified.
    */
 </emitJSDoc>  var exports = function(apiClient) {
     this.apiClient = apiClient || ApiClient.instance;
 
 <#operations><#operation><#emitJSDoc><^usePromises>
     /**
-     * Callback function to receive the result of the <nickname> operation.
-     * @callback module:<#invokerPackage><invokerPackage>/</invokerPackage><#apiPackage><apiPackage>/</apiPackage><classname>~<nickname>Callback
+     * Callback function to receive the result of the <operationId> operation.
+     * @callback module:<#invokerPackage><invokerPackage>/</invokerPackage><#apiPackage><apiPackage>/</apiPackage><classname>~<operationId>Callback
      * @param {String} error Error message, if any.
      * @param <#vendorExtensions.x-jsdoc-type><&vendorExtensions.x-jsdoc-type> data The data returned by the service call.</vendorExtensions.x-jsdoc-type><^vendorExtensions.x-jsdoc-type>data This operation does not return a value.</vendorExtensions.x-jsdoc-type>
      * @param {String} response The complete HTTP response.
@@ -48,16 +48,16 @@
      * @param <&vendorExtensions.x-jsdoc-type> <paramName> <description></required></allParams><#hasOptionalParams>
      * @param {Object} opts Optional parameters<#allParams><^required>
      * @param <&vendorExtensions.x-jsdoc-type> opts.<paramName> <description><#defaultValue> (default to <.>)</defaultValue></required></allParams></hasOptionalParams><^usePromises>
-     * @param {module:<#invokerPackage><invokerPackage>/</invokerPackage><#apiPackage><apiPackage>/</apiPackage><classname>~<nickname>Callback} callback The callback function, accepting three arguments: error, data, response</usePromises><#returnType>
+     * @param {module:<#invokerPackage><&invokerPackage>/</invokerPackage><#apiPackage><&apiPackage>/</apiPackage><&classname>~<operationId>Callback} callback The callback function, accepting three arguments: error, data, response</usePromises><#returnType>
      * data is of type: <&vendorExtensions.x-jsdoc-type></returnType>
      */
-</emitJSDoc>    this.<nickname> = function(<vendorExtensions.x-codegen-argList>) {<#hasOptionalParams>
+</emitJSDoc>    this.<operationId> = function(<vendorExtensions.x-codegen-argList>) {<#hasOptionalParams>
       opts = opts || {};</hasOptionalParams>
       var postBody = <#bodyParam><#required><paramName></required><^required>opts['<paramName>']</required></bodyParam><^bodyParam>null</bodyParam>;
 <#allParams><#required>
       // verify the required parameter '<paramName>' is set
       if (<paramName> == undefined || <paramName> == null) {
-        throw "Missing the required parameter '<paramName>' when calling <nickname>";
+        throw "Missing the required parameter '<paramName>' when calling <operationId>";
       }
 </required></allParams>