[GeoNode-users] Cross-site scripting test - Security related - Issue

Naresh N naresh919 at gmail.com
Sun Sep 30 23:48:25 PDT 2018


Dear All,

We have used GeoNode for development of our portal SUVIDHA.   As a part of
security  we have changed the parameter value * 'limit' *in following url
to verify  c*ross- site scripting  attack.*

*Requested URL:*

http://bhuvan-suvidha.nrsc.gov.in/api/base/?limit=10&offset=0&title__icontains=&
*limit=10'%22()%26%25<acx><ScRiPt%20>promp*
*t(971923)</ScRiPt>*
&offset=0&title__icontains=e&type__in=raster&undefined=undefined

*Response for above URL:*

 {"error": "Invalid limit '10'\"()&%<acx><ScRiPt >prompt(971923)</ScRiPt>'
provided. Please provide a positive integer."}

Although it is not accepted wrongly given input, but error message contains
user given input in given format. As per cross site scripting when ever any
meta characters( Special Characters) appears in url, *the application
should encode the special characters. Since response not contained encoded
user **given** input,So The given request treated as security alert for *
*cross-site** scripting attack*

Please help me how to make all GET Request parameters to encode before
proceeding further steps

Is that any setting is available for making all the requested GET
parameters to encode in GeoNode /Django?

Thanks&Regards,
Naresh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20181001/45359a87/attachment.html>


More information about the geonode-users mailing list