On 27/01/16 09:22, Massimiliano Ricci wrote:
Dear All,
for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a
standalone server.
Unfortunatelly we've encountered an anomaly of Cross Site Scripting (XSS).
For example, it's possible to write on http://myFusekyServer/dataset.html a
query like:
SELECT "<script>alert(document.domain)</script>" WHERE { ?subject
?predicate ?object } LIMIT 25
thath show a pop-up whith hostname.
Looking on owasp site (
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted Data
into HTML Element Content" but modified th Fuseki code was too hard for us.
Could anyone suggest us how to figure out this issue?
There are proprerties to set to avoid XSS (this should be the best
solution)?
Do I have to open an issue on JIRA?
Thanks,
Max
Please do raise a JIRA though it looks to be a problem with the YASQE
dependency. YASQE is including raw results in the HTML for the table
and should convert for HTML presentation.
Also - see the discussion on JENA-890 : should we have a simpler UI for
basic SPARQL exploration and a separate page (like dataset query) as
this more application centric query/navigate/present.
How did you try to fix it?
Andy
https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505
http://yasqe.yasgui.org/ for their tracker.
