Uploaded image for project: 'Blazegraph (by SYSTAP)'
  1. Blazegraph (by SYSTAP)
  2. BLZG-8864

Namespace creation vulnerable to XSS injection

    Details

      Description

      The workbench does not escape input values and is vulnerable to the injection of javascript in areas such as the namespace value.

        Activity

        Show
        beebs Brad Bebee added a comment - https://github.com/blazegraph/bigdata/pull/513
        Hide
        beebs Brad Bebee added a comment -

        Starting with BLZG-8864, namespaces are escaped for html characters. The escaping only occurs on namespace creation. If you manually refer to the namespace with HTML characters after creation, the name must also be escaped.

        Show
        beebs Brad Bebee added a comment - Starting with BLZG-8864 , namespaces are escaped for html characters. The escaping only occurs on namespace creation. If you manually refer to the namespace with HTML characters after creation, the name must also be escaped.
        Hide
        beebs Brad Bebee added a comment -

        Further testing revealed, that the workbench.js must also be changed to prevent double-escaping.

        Replace ".html(namespace)" with ".text(namespace)" on lines 325, 348, 357, and 368 in "workbench.js".

        Show
        beebs Brad Bebee added a comment - Further testing revealed, that the workbench.js must also be changed to prevent double-escaping. Replace ".html(namespace)" with ".text(namespace)" on lines 325, 348, 357, and 368 in "workbench.js".
        Show
        beebs Brad Bebee added a comment - https://github.com/blazegraph/bigdata/pull/516

          People

          • Assignee:
            beebs Brad Bebee
            Reporter:
            beebs Brad Bebee
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: