On 02/02/16 14:03, Massimiliano Ricci wrote:
Great!!
When do you think to release Fuseki 2.4.0?
Jena usually releases every 6 months.
There's a dev build if you want to test before the release
https://repository.apache.org/content/repositories/snapshots/org/apache/jena/
(make sure you get the latest)
Andy
2016-01-31 17:46 GMT+01:00 Andy Seaborne <[email protected]>:
Thanks to Laurens Rietveld, the author of YASGUI, we have a fix for Jena.
The fix [*] is in the way Jena uses yasr.
JENA-1123 is resolved.
The latest dev build has it in.
Caution: you have to flush the changed javascript into the browser.
Browsers seem to be obstinate about doing this but (1) clear the site
cache and (2) a hard refresh (cntrl-F5) seems to work. (Developer tools
mode helps as well but in my experience is not guaranteed.)
Andy
[*]
https://github.com/apache/jena/commit/0e9f9319c0
On 27/01/16 19:33, Andy Seaborne wrote:
On 27/01/16 15:30, Andy Seaborne wrote:
On 27/01/16 14:45, Massimiliano Ricci wrote:
thanks Andy for your reply.
I also think the problem is with YASQE dependency, but I didn't find any
way to submit this issue to them.
https://github.com/OpenTriply/YASGUI.YASQE/issues
Reported:
https://github.com/OpenTriply/YASGUI.YASR/issues/83
I tried the latest release of yasr and it has the same problem.
Any string displayed (lexical form of a literal) is not checked for HTML
display. "<b>bold</b>" being a slightly less worrying example that
<script>
Andy
I've open JENA-1123 request on JIRA.
Max
2016-01-27 13:29 GMT+01:00 Andy Seaborne <[email protected]>:
On 27/01/16 09:22, Massimiliano Ricci wrote:
Dear All,
for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a
standalone server.
Unfortunatelly we've encountered an anomaly of Cross Site Scripting
(XSS).
For example, it's possible to write on
http://myFusekyServer/dataset.html
a
query like:
SELECT "<script>alert(document.domain)</script>" WHERE { ?subject
?predicate ?object } LIMIT 25
thath show a pop-up whith hostname.
Looking on owasp site (
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted
Data
into HTML Element Content" but modified th Fuseki code was too hard
for
us.
Could anyone suggest us how to figure out this issue?
There are proprerties to set to avoid XSS (this should be the best
solution)?
Do I have to open an issue on JIRA?
Thanks,
Max
Please do raise a JIRA though it looks to be a problem with the YASQE
dependency. YASQE is including raw results in the HTML for the table
and
should convert for HTML presentation.
Also - see the discussion on JENA-890 : should we have a simpler UI for
basic SPARQL exploration and a separate page (like dataset query) as
this
more application centric query/navigate/present.
How did you try to fix it?
Andy
https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505
http://yasqe.yasgui.org/ for their tracker.
