From bb3af3166e12d1f5b0b5a0bad34aae2223ef3649 Mon Sep 17 00:00:00 2001
From: "Bruno P. Kinoshita" <kinow@users.noreply.github.com>
Date: Wed, 27 Mar 2024 13:00:24 +0100
Subject: [PATCH] GH-2370: Improve validation of dataset graph names

---
 .../src/views/dataset/Upload.vue              | 35 +++++++++++++++----
 1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/jena-fuseki2/jena-fuseki-ui/src/views/dataset/Upload.vue b/jena-fuseki2/jena-fuseki-ui/src/views/dataset/Upload.vue
index 3f756315c32..085cecca209 100644
--- a/jena-fuseki2/jena-fuseki-ui/src/views/dataset/Upload.vue
+++ b/jena-fuseki2/jena-fuseki-ui/src/views/dataset/Upload.vue
@@ -60,7 +60,7 @@
                         placeholder="Leave blank for default graph"
                       />
                       <div class="invalid-feedback">
-                        Invalid graph name. Please remove any spaces.
+                        Invalid graph name. Please remove any spaces and encoded values.
                       </div>
                     </div>
                   </div>
@@ -416,15 +416,38 @@ export default {
       return this.validateGraphName() && this.validateFiles()
     },
     validateGraphName () {
-      // No spaces allowed in graph names.
-      const pattern = /^[^\s]+$/
       const graphName = this.$refs['dataset-graph-name'].value
-      if (graphName === '' || pattern.test(graphName)) {
+      // An empty graph name is OK.
+      if (graphName === '') {
         this.graphNameClasses = ['form-control is-valid']
         return true
       }
-      this.graphNameClasses = ['form-control is-invalid']
-      return false
+      // No spaces allowed in graph names.
+      const pattern = /^\S+$/
+      if (!pattern.test(graphName)) {
+        this.graphNameClasses = ['form-control is-invalid']
+        return false
+      }
+      // Only valid URIs allowed.
+      try {
+        new URL(graphName)
+      } catch {
+        this.graphNameClasses = ['form-control is-invalid']
+        return false
+      }
+      // Encoded components are not allowed.
+      try {
+        if (decodeURI(graphName) !== decodeURIComponent(graphName)) {
+          this.graphNameClasses = ['form-control is-invalid']
+          return false
+        }
+      } catch {
+        this.graphNameClasses = ['form-control is-invalid']
+        return false
+      }
+      // If it reached this part, then it's a valid graph name.
+      this.graphNameClasses = ['form-control is-valid']
+      return true
     },
     validateFiles () {
       if (this.upload.files !== null && this.upload.files.length > 0) {