From e34f719af6300b37d8ad213e7d975773baefbe17 Mon Sep 17 00:00:00 2001
From: Ruben Fonseca <rubefons@amazon.com>
Date: Tue, 9 Jan 2024 15:30:19 +0100
Subject: [PATCH] fix(event_handler): escape OpenAPI schema on Swagger UI
 (#3606)

* fix(event_handler): escape OpenAPI schema on Swagger UI

* fix: avoid the json loads/dumps

---------

Co-authored-by: Leandro Damascena <lcdama@amazon.pt>
---
 .../event_handler/api_gateway.py              |  2 +-
 .../event_handler/openapi/swagger_ui/html.py  | 29 +++++++++++++++----
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/aws_lambda_powertools/event_handler/api_gateway.py b/aws_lambda_powertools/event_handler/api_gateway.py
index 79e194e3719..70c10596463 100644
--- a/aws_lambda_powertools/event_handler/api_gateway.py
+++ b/aws_lambda_powertools/event_handler/api_gateway.py
@@ -1627,7 +1627,7 @@ def swagger_handler():
 
             openapi_servers = servers or [Server(url=(base_path or "/"))]
 
-            spec = self.get_openapi_json_schema(
+            spec = self.get_openapi_schema(
                 title=title,
                 version=version,
                 openapi_version=openapi_version,
diff --git a/aws_lambda_powertools/event_handler/openapi/swagger_ui/html.py b/aws_lambda_powertools/event_handler/openapi/swagger_ui/html.py
index d8ffb0efa19..0868dc487f4 100644
--- a/aws_lambda_powertools/event_handler/openapi/swagger_ui/html.py
+++ b/aws_lambda_powertools/event_handler/openapi/swagger_ui/html.py
@@ -1,16 +1,35 @@
-def generate_swagger_html(spec: str, js_url: str, css_url: str) -> str:
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from aws_lambda_powertools.event_handler.openapi.models import OpenAPI
+
+
+def generate_swagger_html(spec: "OpenAPI", js_url: str, css_url: str) -> str:
     """
     Generate Swagger UI HTML page
 
     Parameters
     ----------
-    spec: str
-        The OpenAPI spec in the JSON format
+    spec: OpenAPI
+        The OpenAPI spec
     js_url: str
         The URL to the Swagger UI JavaScript file
     css_url: str
         The URL to the Swagger UI CSS file
     """
+
+    from aws_lambda_powertools.event_handler.openapi.compat import model_json
+
+    # The .replace('</', '<\\/') part is necessary to prevent a potential issue where the JSON string contains
+    # </script> or similar tags. Escaping the forward slash in </ as <\/ ensures that the JSON does not inadvertently
+    # close the script tag, and the JSON remains a valid string within the JavaScript code.
+    escaped_spec = model_json(
+        spec,
+        by_alias=True,
+        exclude_none=True,
+        indent=2,
+    ).replace("</", "<\\/")
+
     return f"""
 <!DOCTYPE html>
 <html>
@@ -41,9 +60,7 @@ def generate_swagger_html(spec: str, js_url: str, css_url: str) -> str:
     layout: "BaseLayout",
     showExtensions: true,
     showCommonExtensions: true,
-    spec: JSON.parse(`
-        {spec}
-    `.trim()),
+    spec: {escaped_spec},
     presets: [
       SwaggerUIBundle.presets.apis,
       SwaggerUIBundle.SwaggerUIStandalonePreset