You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by "Massimiliano Ricci (JIRA)" <ji...@apache.org> on 2016/01/27 15:32:39 UTC
[jira] [Created] (JENA-1123) Cross Site Scripting (XSS)
vulnerability on Fuseki 2.3.1
Massimiliano Ricci created JENA-1123:
----------------------------------------
Summary: Cross Site Scripting (XSS) vulnerability on Fuseki 2.3.1
Key: JENA-1123
URL: https://issues.apache.org/jira/browse/JENA-1123
Project: Apache Jena
Issue Type: Bug
Components: Fuseki
Affects Versions: Fuseki 2.3.1
Reporter: Massimiliano Ricci
In fuseki web interface, dataset.html page -> tab "query"
it's possible to write query like:
SELECT "<script>alert(document.domain)</script>" WHERE { ?subject ?predicate ?object } LIMIT 25
that show a pop-up with hostname.
Probably the problem is with the YASQE dependency.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)