From abadf945062fc251e5a20f81dd56162639a74b4e Mon Sep 17 00:00:00 2001
From: Berk Karadalan <berkkaradalan@gmail.com>
Date: Sat, 13 Dec 2025 16:55:57 +0300
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Escape=20HTML=20in=20Swagger=20a?=
 =?UTF-8?q?nd=20ReDoc=20titles=20and=20URLs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 fastapi/openapi/docs.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/fastapi/openapi/docs.py b/fastapi/openapi/docs.py
index 74b23a370..4b53a65ae 100644
--- a/fastapi/openapi/docs.py
+++ b/fastapi/openapi/docs.py
@@ -1,3 +1,4 @@
+import html as html_escape
 import json
 from typing import Any, Dict, Optional
 
@@ -121,7 +122,7 @@ def get_swagger_ui_html(
     <head>
     <link type="text/css" rel="stylesheet" href="{swagger_css_url}">
     <link rel="shortcut icon" href="{swagger_favicon_url}">
-    <title>{title}</title>
+    <title>{html_escape.escape(title)}</title>
     </head>
     <body>
     <div id="swagger-ui">
@@ -130,7 +131,7 @@ def get_swagger_ui_html(
     <!-- `SwaggerUIBundle` is now available on the page -->
     <script>
     const ui = SwaggerUIBundle({{
-        url: '{openapi_url}',
+        url: '{html_escape.escape(openapi_url)}',
     """
 
     for key, value in current_swagger_ui_parameters.items():
@@ -221,7 +222,7 @@ def get_redoc_html(
     <!DOCTYPE html>
     <html>
     <head>
-    <title>{title}</title>
+    <title>{html_escape.escape(title)}</title>
     <!-- needed for adaptive design -->
     <meta charset="utf-8"/>
     <meta name="viewport" content="width=device-width, initial-scale=1">
@@ -246,7 +247,7 @@ def get_redoc_html(
     <noscript>
         ReDoc requires Javascript to function. Please enable it to browse the documentation.
     </noscript>
-    <redoc spec-url="{openapi_url}"></redoc>
+    <redoc spec-url="{html_escape.escape(openapi_url)}"></redoc>
     <script src="{redoc_js_url}"> </script>
     </body>
     </html>