Dear All, for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a standalone server. Unfortunatelly we've encountered an anomaly of Cross Site Scripting (XSS). For example, it's possible to write on http://myFusekyServer/dataset.html a query like: SELECT "<script>alert(document.domain)</script>" WHERE { ?subject ?predicate ?object } LIMIT 25 thath show a pop-up whith hostname.
Looking on owasp site ( https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet ) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content" but modified th Fuseki code was too hard for us. Could anyone suggest us how to figure out this issue? There are proprerties to set to avoid XSS (this should be the best solution)? Do I have to open an issue on JIRA? Thanks, Max
