Comments (1)
mkroetzsch
commented on June 26, 2024
I am also concerned by this. It is planned to extend SQID for remote editing of Wikidata (OAUTH based), so XSS could be a real issue then.
I do not know what would be needed to exploit this potential issue. Can anyone do this without having write access to our message files? I have tested what happens with HTML characters in, e.g., item labels, but I could not produce any problems there.
OTOH, I have not found any way to have HTML variable replacements with any form of sanitization. It seems that this feature is not well developed in angular translate, since there is no advanced sanitization that can allow restricted (or custom) HTML. I also don't know of any other hook to inject values before display.
In any case, it would be nice if we could at least switch off the public advertisement of this possible security issue in the console.
from sqid.
Related Issues (20)
- Add ISO 8601 datetime format HOT 1
- Outside any named section - top area - empty "subclass of:" but Wikidata has a claim HOT 3
- Section "Identifiers": list those specified by ISO first
- Section "Classification" - merge related unnamed part of top area and sections "Classification", "Instances"
- Give usage stats for typical properties and sort them HOT 2
- support for lexicographical data
- Is it possible to connect SQID to your own SPARQL endpoint? HOT 4
- Support alternative claim providers (PrimarySources, Rules, β¦) in Entity View
- Import SchemaUsageAnalyzer from wdtk-toolkit
- Automate deployment
- Add βbrowseβ views for properties & classes
- Fix styling
- Add a (global?) gadget
- Add support for editing labels
- Add support for inference rules
- Add support for ShEx schemata
- Advanced Search interface
- Add an OpenSearch description HOT 2
- Add paging for subclass hierarchy retrieval in helper HOT 1
- SQID as API
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sqid.