Stored XSS in blob viewer

### Summary I found a Stored-XSS in blob viewer when viewing a json file. In particular, when viewing an openapi file, [openapi_viewer](https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/assets/javascripts/blob/viewer/index.js#L43) is called to transfer the file's data to [SwaggerUIBundle](https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/assets/javascripts/blob/openapi/index.js#L10) to render. SwaggerUIBundle does its job when rending graphical representation of the openapi's content. It also allows *html tags and attributes* in the description of the openapi. Although it removes malicious tags and attributes, but this is not enough in gitlab's context: 1. `class` and `style` attributes allow attackers to arbitrarily present their disposition. My demo below uses `class` attribute to create a transparent layer that fulfils the document to intercept any user's clics. 2. `data-*` attributes, under the help of [jquery-ujs](https://gitlab.com/gitlab-org/gitlab/-/blob/master/package.json#L90), allows attackers to create any requests to server when user clicking (not only `GET`, but also, `PUT`, `DELETE`, `HEAD`) with arbitrary parameters 3. The current CSP is easily by passed by [jQuery.globalEval](https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/assets/javascripts/main.js#L54). In my demo below, you should see an `alert` after clicking anywhere ### Steps to reproduce 1. In any project, create a file naming `xss-openapi.js`, then put the following content: ``` { "swagger" : "2.0", "info" : { "description" : "<a href=https://gitlab.com/yvvdwf/data/-/wikis/alert.md data-type=script style='cursor:default' data-remote=true class='atwho-view select2-drop-mask pika-select'></a><script>alert(0)</script>" }} ``` 2. Click anywhere on the document view, you should see an alert. ### Impact There are three impacts as in the Summary above. The most important impact is the stored-XSS allowing attackers to perform any action on behalf of users at the client side. ### Examples (This repository is in private mode, please let me know if you cannot access it) https://gitlab.com/yvvdwf/xss/-/blob/master/xss-openapi.json ### What is the current *bug* behavior? Gitlab does not check the result generated by SwaggerUIBundle ### What is the expected *correct* behavior? Should remove any inappropriate html attributes, such as, `data-*`, `style`, `class`. ### Output of checks This bug happens on GitLab.com ## Impact The stored-XSS allows attackers to perform any action on behalf of users at the client side.