For anyone considering moving an application from your own computer and putting it on the public internet, the eXist documentation states a helpful admonition:
"For any live application it is recognised best practice to keep the attack surface of the application as small as possible. There are two aspects to this: 1. Reducing the application itself to the absolute essentials. 2. Limiting access routes to the application. eXist-db is no exception and should be configured for your production systems so that it provides only what you need and no more." (from http://exist-db.org/exist/apps/doc/production_good_practice.xml
As applied to the oeaw.ac.at
server, the issue is that the eXist server's REST interface is exposed to the public. Essentially, the "/data" URL at https://tei2016app.acdh.oeaw.ac.at/data/
is being mapped onto the eXist server's own URL, http://localhost:8080/exist/rest/db/apps/tei-abstracts/data
. eXist's REST interface (http://exist-db.org/exist/apps/doc/devguide_rest.xml
) is a convenient way to expose the documents in your collection for browsing and downloading. But this powerful interface does allow users with access to it to execute arbitrary XQuery. Matthias's solution (already applied, it appears!) keeps the original "/rest" URLs exposed, while filtering requests to prevent users from executing arbitrary code. This is a good step, but in general, good practice is to prevent these "/rest" URLs from being exposed to the public, using eXist's robust URL rewriting functions to limit what visitors are able to see and access.
Like many open source projects, the built-in documentation is uneven. For anyone getting started with eXist, I'd highly recommend Adam Retter and Erik Siegel's book, _eXist_ (O'Reilly, 2014):