Great!! When do you think to release Fuseki 2.4.0? 2016-01-31 17:46 GMT+01:00 Andy Seaborne <[email protected]>:
> Thanks to Laurens Rietveld, the author of YASGUI, we have a fix for Jena. > The fix [*] is in the way Jena uses yasr. > > JENA-1123 is resolved. > The latest dev build has it in. > > Caution: you have to flush the changed javascript into the browser. > > Browsers seem to be obstinate about doing this but (1) clear the site > cache and (2) a hard refresh (cntrl-F5) seems to work. (Developer tools > mode helps as well but in my experience is not guaranteed.) > > Andy > > [*] > https://github.com/apache/jena/commit/0e9f9319c0 > > > On 27/01/16 19:33, Andy Seaborne wrote: > >> On 27/01/16 15:30, Andy Seaborne wrote: >> >>> On 27/01/16 14:45, Massimiliano Ricci wrote: >>> >>>> thanks Andy for your reply. >>>> I also think the problem is with YASQE dependency, but I didn't find any >>>> way to submit this issue to them. >>>> >>> >>> https://github.com/OpenTriply/YASGUI.YASQE/issues >>> >> >> Reported: >> >> https://github.com/OpenTriply/YASGUI.YASR/issues/83 >> >> I tried the latest release of yasr and it has the same problem. >> >> Any string displayed (lexical form of a literal) is not checked for HTML >> display. "<b>bold</b>" being a slightly less worrying example that >> <script> >> >> Andy >> >> >>> I've open JENA-1123 request on JIRA. >>>> >>> >>> >>> >>> Max >>>> >>>> >>>> 2016-01-27 13:29 GMT+01:00 Andy Seaborne <[email protected]>: >>>> >>>> On 27/01/16 09:22, Massimiliano Ricci wrote: >>>>> >>>>> Dear All, >>>>>> for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a >>>>>> standalone server. >>>>>> Unfortunatelly we've encountered an anomaly of Cross Site Scripting >>>>>> (XSS). >>>>>> For example, it's possible to write on >>>>>> http://myFusekyServer/dataset.html >>>>>> a >>>>>> query like: >>>>>> SELECT "<script>alert(document.domain)</script>" WHERE { ?subject >>>>>> ?predicate ?object } LIMIT 25 >>>>>> thath show a pop-up whith hostname. >>>>>> >>>>>> Looking on owasp site ( >>>>>> >>>>>> >>>>>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet >>>>>> >>>>>> >>>>>> ) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted >>>>>> Data >>>>>> into HTML Element Content" but modified th Fuseki code was too hard >>>>>> for >>>>>> us. >>>>>> Could anyone suggest us how to figure out this issue? >>>>>> There are proprerties to set to avoid XSS (this should be the best >>>>>> solution)? >>>>>> Do I have to open an issue on JIRA? >>>>>> >>>>>> Thanks, >>>>>> Max >>>>>> >>>>>> >>>>>> Please do raise a JIRA though it looks to be a problem with the YASQE >>>>> dependency. YASQE is including raw results in the HTML for the table >>>>> and >>>>> should convert for HTML presentation. >>>>> >>>>> Also - see the discussion on JENA-890 : should we have a simpler UI for >>>>> basic SPARQL exploration and a separate page (like dataset query) as >>>>> this >>>>> more application centric query/navigate/present. >>>>> >>>>> How did you try to fix it? >>>>> >>>>> Andy >>>>> >>>>> >>>>> https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505 >>>>> >>>>> >>>>> http://yasqe.yasgui.org/ for their tracker. >>>>> >>>>> >>>> >>> >> >
