thanks Andy for your reply. I also think the problem is with YASQE dependency, but I didn't find any way to submit this issue to them. I've open JENA-1123 request on JIRA. Max
2016-01-27 13:29 GMT+01:00 Andy Seaborne <[email protected]>: > On 27/01/16 09:22, Massimiliano Ricci wrote: > >> Dear All, >> for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a >> standalone server. >> Unfortunatelly we've encountered an anomaly of Cross Site Scripting (XSS). >> For example, it's possible to write on http://myFusekyServer/dataset.html >> a >> query like: >> SELECT "<script>alert(document.domain)</script>" WHERE { ?subject >> ?predicate ?object } LIMIT 25 >> thath show a pop-up whith hostname. >> >> Looking on owasp site ( >> >> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet >> ) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted >> Data >> into HTML Element Content" but modified th Fuseki code was too hard for >> us. >> Could anyone suggest us how to figure out this issue? >> There are proprerties to set to avoid XSS (this should be the best >> solution)? >> Do I have to open an issue on JIRA? >> >> Thanks, >> Max >> >> > Please do raise a JIRA though it looks to be a problem with the YASQE > dependency. YASQE is including raw results in the HTML for the table and > should convert for HTML presentation. > > Also - see the discussion on JENA-890 : should we have a simpler UI for > basic SPARQL exploration and a separate page (like dataset query) as this > more application centric query/navigate/present. > > How did you try to fix it? > > Andy > > https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505 > > http://yasqe.yasgui.org/ for their tracker. >
