Changes for security of our clients from XSS attacks

[danizen]

Our security team is trying out a new scanner, called netsparker. It found something that IBM AppScan never found, which is that parameters sent to the SPARQL endpoint that contain scripts will be echoed as errors.

In response to this, I made small changes to SparqlServlet so that all exceptions are sent as text/plain content-type. This prevents someone from getting a browser to execute the script. The point is not just to protect our users - the most likely place for someone to put such a malicious URL is in github.com issues for our projects. We click on it, try to reproduce the issue, and bang, they are in.

The changes have the added benefit of improving the SPARQL compliance, because we are now returning simple text on any error, and I made sure that bad type conversions are coming across as status code 400.