You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by "Massimiliano Ricci (JIRA)" <ji...@apache.org> on 2016/01/27 15:32:39 UTC

[jira] [Created] (JENA-1123) Cross Site Scripting (XSS) vulnerability on Fuseki 2.3.1

Massimiliano Ricci created JENA-1123:
----------------------------------------

             Summary: Cross Site Scripting (XSS) vulnerability on Fuseki 2.3.1
                 Key: JENA-1123
                 URL: https://issues.apache.org/jira/browse/JENA-1123
             Project: Apache Jena
          Issue Type: Bug
          Components: Fuseki
    Affects Versions: Fuseki 2.3.1
            Reporter: Massimiliano Ricci


In fuseki web interface, dataset.html page -> tab "query"
it's possible to write query like:

SELECT "<script>alert(document.domain)</script>" WHERE { ?subject ?predicate ?object } LIMIT 25 

that show a pop-up with hostname.
Probably the problem is with the YASQE dependency.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)