On 27/01/16 15:30, Andy Seaborne wrote:
On 27/01/16 14:45, Massimiliano Ricci wrote:
thanks Andy for your reply.
I also think the problem is with YASQE dependency, but I didn't find any
way to submit this issue to them.
https://github.com/OpenTriply/YASGUI.YASQE/issues
Reported:
https://github.com/OpenTriply/YASGUI.YASR/issues/83
I tried the latest release of yasr and it has the same problem.
Any string displayed (lexical form of a literal) is not checked for HTML
display. "<b>bold</b>" being a slightly less worrying example that <script>
Andy
I've open JENA-1123 request on JIRA.
Max
2016-01-27 13:29 GMT+01:00 Andy Seaborne <[email protected]>:
On 27/01/16 09:22, Massimiliano Ricci wrote:
Dear All,
for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a
standalone server.
Unfortunatelly we've encountered an anomaly of Cross Site Scripting
(XSS).
For example, it's possible to write on
http://myFusekyServer/dataset.html
a
query like:
SELECT "<script>alert(document.domain)</script>" WHERE { ?subject
?predicate ?object } LIMIT 25
thath show a pop-up whith hostname.
Looking on owasp site (
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted
Data
into HTML Element Content" but modified th Fuseki code was too hard for
us.
Could anyone suggest us how to figure out this issue?
There are proprerties to set to avoid XSS (this should be the best
solution)?
Do I have to open an issue on JIRA?
Thanks,
Max
Please do raise a JIRA though it looks to be a problem with the YASQE
dependency. YASQE is including raw results in the HTML for the table
and
should convert for HTML presentation.
Also - see the discussion on JENA-890 : should we have a simpler UI for
basic SPARQL exploration and a separate page (like dataset query) as
this
more application centric query/navigate/present.
How did you try to fix it?
Andy
https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505
http://yasqe.yasgui.org/ for their tracker.
