Repository: jena Updated Branches: refs/heads/master 6eadb3662 -> 3e98f9330
fixed query response values not getting html-escaped Project: http://git-wip-us.apache.org/repos/asf/jena/repo Commit: http://git-wip-us.apache.org/repos/asf/jena/commit/0e9f9319 Tree: http://git-wip-us.apache.org/repos/asf/jena/tree/0e9f9319 Diff: http://git-wip-us.apache.org/repos/asf/jena/diff/0e9f9319 Branch: refs/heads/master Commit: 0e9f9319c0e433469ff72edc1513d6d9b1e31ad9 Parents: c87a5d1 Author: Laurens Rietveld <[email protected]> Authored: Fri Jan 29 18:08:31 2016 +0100 Committer: Laurens Rietveld <[email protected]> Committed: Fri Jan 29 18:08:31 2016 +0100 ---------------------------------------------------------------------- .../src/main/webapp/js/lib/qonsole.js | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/jena/blob/0e9f9319/jena-fuseki2/jena-fuseki-core/src/main/webapp/js/lib/qonsole.js ---------------------------------------------------------------------- diff --git a/jena-fuseki2/jena-fuseki-core/src/main/webapp/js/lib/qonsole.js b/jena-fuseki2/jena-fuseki-core/src/main/webapp/js/lib/qonsole.js index 366bfed..d4b674e 100644 --- a/jena-fuseki2/jena-fuseki-core/src/main/webapp/js/lib/qonsole.js +++ b/jena-fuseki2/jena-fuseki-core/src/main/webapp/js/lib/qonsole.js @@ -6,6 +6,13 @@ var qonsole = function() { YASR = require('yasr'); /** + * Escape html function, inspired by http://stackoverflow.com/questions/5499078/fastest-method-to-escape-html-tags-as-html-entities + */ + var escapeString = function(unescaped) { + if (!unescaped) return ''; + return unescaped.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>'); + } + /** * Some custom requirements for Jena, on how to present the bindings. I.e., bnodes prefixed with _:, literals with surrounding quotes, and URIs with brackets */ YASR.plugins.table.defaults.getCellContent = function (yasr, plugin, bindings, variable, context) { @@ -14,7 +21,7 @@ var qonsole = function() { if (binding.type == "uri") { var title = null; var href = binding.value; - var visibleString = href; + var visibleString = escapeString(href); var prefixed = false; if (context.usedPrefixes) { for (var prefix in context.usedPrefixes) { @@ -28,11 +35,11 @@ var qonsole = function() { if (!prefixed) visibleString = "<" + visibleString + ">"; value = "<a " + (title? "title='" + href + "' ": "") + "class='uri' target='_blank' href='" + href + "'>" + visibleString + "</a>"; } else if (binding.type == "bnode"){ - value = "<span class='nonUri'>_:" + binding.value + "</span>"; + value = "<span class='nonUri'>_:" + escapeString(binding.value) + "</span>"; } else if (binding.type == "literal") { - var stringRepresentation = binding.value; + var stringRepresentation = escapeString(binding.value); if (binding["xml:lang"]) { - stringRepresentation = '"' + binding.value + '"@' + binding["xml:lang"]; + stringRepresentation = '"' + stringRepresentation + '"@' + binding["xml:lang"]; } else if (binding.datatype) { var xmlSchemaNs = "http://www.w3.org/2001/XMLSchema#";; var dataType = binding.datatype; @@ -50,7 +57,7 @@ var qonsole = function() { value = "<span class='nonUri'>" + stringRepresentation + "</span>"; } else { //this is a catch-all: when using e.g. a csv content type, the bindings are not typed - value = binding.value; + value = escapeString(binding.value); } return "<div>" + value + "</div>"; };
