You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by "Andy Seaborne (JIRA)" <ji...@apache.org> on 2016/01/27 16:29:39 UTC

[jira] [Commented] (JENA-1123) Cross Site Scripting (XSS) vulnerability on Fuseki 2.3.1

    [ https://issues.apache.org/jira/browse/JENA-1123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15119601#comment-15119601 ] 

Andy Seaborne commented on JENA-1123:
-------------------------------------

Happens when the query is executed and the results include lexical forms with HTML fragments.

It seems YASQE does not clean the lexical form when putting into the HTML for the results.


> Cross Site Scripting (XSS) vulnerability on Fuseki 2.3.1
> --------------------------------------------------------
>
>                 Key: JENA-1123
>                 URL: https://issues.apache.org/jira/browse/JENA-1123
>             Project: Apache Jena
>          Issue Type: Bug
>          Components: Fuseki
>    Affects Versions: Fuseki 2.3.1
>            Reporter: Massimiliano Ricci
>              Labels: security, xss
>
> In fuseki web interface, dataset.html page -> tab "query"
> it's possible to write query like:
> {noformat}
> SELECT ("<script>alert(document.domain)</script>" AS ?X) WHERE { }
> {noformat}
> that show a pop-up with hostname.
> Probably the problem is with the YASQE dependency.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)