Skip to content
This repository has been archived by the owner on Jun 21, 2022. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
xss changes
  • Loading branch information
iherman committed Mar 24, 2022
1 parent 3c652c2 commit ffd1d62
Showing 1 changed file with 18 additions and 5 deletions.
23 changes: 18 additions & 5 deletions pyRdfa/__init__.py
Expand Up @@ -455,6 +455,16 @@ def _get_input(self, name) :
(type, value, traceback) = sys.exc_info()
raise FailedSource(value)

@staticmethod
def _validate_output_format(outputFormat):
"""
Malicious actors may create XSS style issues by using an illegal output format... better be careful
"""
# protection against possible malicious URL call
if outputFormat not in ["turtle", "n3", "xml", "pretty-xml", "nt", "json-ld"] :
outputFormat = "turtle"
return outputFormat

####################################################################################################################
# Externally used methods
#
Expand Down Expand Up @@ -687,10 +697,12 @@ def rdf_from_sources(self, names, outputFormat = "turtle", rdfOutput = False) :
@return: a serialized RDF Graph
@rtype: string
"""
# protection against possible malicious URL call
outputFormat = pyRdfa._validate_output_format(outputFormat);

# This is better because it gives access to the various, non-standard serializations
# If it does not work because the extra are not installed, fall back to the standard
# rdlib distribution...

if rdflib.__version__ >= "3.0.0" :
graph = Graph()
else :
Expand Down Expand Up @@ -881,7 +893,7 @@ def _get_option(param, compare_value, default) :
# This is really for testing purposes only, it is an unpublished flag to force RDF output no
# matter what
try :
graph = processor.rdf_from_source(input, outputFormat, rdfOutput = ("forceRDFOutput" in list(form.keys())) or not htmlOutput)
outputFormat = pyRdfa._validate_output_format(outputFormat);
if outputFormat == "n3" :
retval = 'Content-Type: text/rdf+n3; charset=utf-8\n'
elif outputFormat == "nt" or outputFormat == "turtle" :
Expand All @@ -890,6 +902,7 @@ def _get_option(param, compare_value, default) :
retval = 'Content-Type: application/ld+json; charset=utf-8\n'
else :
retval = 'Content-Type: application/rdf+xml; charset=utf-8\n'
graph = processor.rdf_from_source(input, outputFormat, rdfOutput = ("forceRDFOutput" in list(form.keys())) or not htmlOutput)
retval += '\n'
retval += graph
return retval
Expand Down Expand Up @@ -936,13 +949,13 @@ def _get_option(param, compare_value, default) :
else :
retval +="<dt>URI received:</dt><dd><code>'%s'</code></dd>\n" % cgi.escape(uri)
if "host_language" in list(form.keys()) :
retval +="<dt>Media Type:</dt><dd>%s</dd>\n" % media_type
retval +="<dt>Media Type:</dt><dd>%s</dd>\n" % cgi.escape(media_type)
if "graph" in list(form.keys()) :
retval +="<dt>Requested graphs:</dt><dd>%s</dd>\n" % form.getfirst("graph").lower()
retval +="<dt>Requested graphs:</dt><dd>%s</dd>\n" % cgi.escape(form.getfirst("graph").lower())
else :
retval +="<dt>Requested graphs:</dt><dd>default</dd>\n"
retval +="<dt>Output serialization format:</dt><dd> %s</dd>\n" % outputFormat
if "space_preserve" in form : retval +="<dt>Space preserve:</dt><dd> %s</dd>\n" % form["space_preserve"].value
if "space_preserve" in form : retval +="<dt>Space preserve:</dt><dd> %s</dd>\n" % cgi.escape(form["space_preserve"].value)
retval +="</dl>\n"
retval +="</body>\n"
retval +="</html>\n"
Expand Down

0 comments on commit ffd1d62

Please sign in to comment.