Avoid leaking stacktrace and fix error code in case of bad request in AjaxController

[litvinovg]

In improvement on top of #4127

What does this pull request do?

Fixed returned error code for bad requests.
Removed stacktrace from the output.
Removed unused imports in UtilityFunctions

How should this be tested?

Testing should be similar to #4127

Interested parties

@brianjlowe @chenejac

[chenejac]

@litvinovg thanks for this.

I used @gneissone example, meaning I tried to open http://localhost:8080/vivo/listrdf?vclass=http%3A%2F%2Fxmlns.com%2Ffoaf%2F0.1%2FPerson%3E%20.%20%3Fs%20%3Chttp%3A%2F%2Fvivoweb.org%2Fontology%2Fcore%23relatedBy%3E%20%3Fp%20.%20%3Fp%20%3Chttp%3A%2F%2Fvivoweb.org%2Fontology%2Fcore%23hideFromDisplay%3E%20%3FhiddenPubStatus%20.%20%3Fs%20a%20%3Chttp%3A%2F%2Fxmlns.com%2Ffoaf%2F0.1%2FPerson

Which represents Sparql injection

http://xmlns.com/foaf/0.1/Person> . ?s http://vivoweb.org/ontology/core#relatedBy ?p . ?p http://vivoweb.org/ontology/core#hideFromDisplay ?hiddenPubStatus . ?s a <http://xmlns.com/foaf/0.1/Person

And I got a response in web browser

500 Failed to obtain the list.
org.apache.jena.sparql.ARQException: Value for the parameter contains a SPARQL injection risk
at org.apache.jena.query.ParameterizedSparqlString.validateParameterValue(ParameterizedSparqlString.java:630)
at org.apache.jena.query.ParameterizedSparqlString.setParam(ParameterizedSparqlString.java:692)
at org.apache.jena.query.ParameterizedSparqlString.setIri(ParameterizedSparqlString.java:760) ...

@brianjlowe is this what you expected as an output?

[chenejac]

@litvinovg well done.

I have tested this PR by using Ben example

<html>
<head><title>XSS Exploit</title></head>
<body>
<form method="POST" action="http://localhost:8080/vivo/visualizationAjax" id="xssform">
<input type="hidden" name="uri" value='test"><script>alert("1")</script><a href="'>
<input type="hidden" name="vis" value="utilities">
<input type="hidden" name="vis_mode" value="SHOW_GRANTS_LINK">
</form>
<script>
document.getElementById('xssform').submit();
</script>
</body>
</html>

It provides the response

Value for the parameter contains a SPARQL injection risk

The code is clean.

[zongruxie]