getContainerElements can return urls outside of the container

[Otto-AA]

I think intuitively the getContainerElements function should only return elements that have this folder as a parent (e.g. for /folder/ only /folder/* and not /other/). The current implementation allows any urls to be returned if the turtle file specifies this.

As an implication, when creating a folder with additional containment triples, these folders:

• recursive deletion can delete arbitrary urls (not tested, but the code looks like it would simply fetch all "contained" resources and then delete them, even if they are on a different server)
• are displayed to have children that could be arbitrary urls (tested, see below for an example)

Creating folders with additional containment triples is currently possible with ESS. Also note that it's not forbidden by the spec to add additional data when POSTing new folders, so it's something we should consider in the applications. An example turtle is following, which will display the public folder inside of confusion/:

@prefix ldp:  <http://www.w3.org/ns/ldp#> .
@prefix me:   <https://storage.inrupt.com/ba39f662-260a-415e-aee1-3290e3974092/reviews/confusion/> .
@prefix rdf:  <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .

me:     rdf:type      ldp:Container , ldp:BasicContainer ;
        ldp:contains  <https://sheep.solidcommunity.net/public/> .

Currently you can test this here, not sure how long I'll keep the link (note that it shows a folder of inrupt.com, but contains a child from solidcommunity.net): https://solidos.github.io/mashlib/dist/browse.html?uri=https%3A%2F%2Fstorage.inrupt.com%2Fba39f662-260a-415e-aee1-3290e3974092%2Freviews%2Fconfusion%2F

As a fix, I'd suggest that getContainerElements filters out urls that do not start with the container url. eg for the container https://example.org/public/ it should have the filter urls.filter(url => url.startsWith("https://example.org/public/")) (not sure how this looks like with rdflib objects).