[GeoNode-users] Cross-site scripting test - Security related - Issue
Naresh N
naresh919 at gmail.com
Sun Sep 30 23:48:25 PDT 2018
Dear All,
We have used GeoNode for development of our portal SUVIDHA. As a part of
security we have changed the parameter value * 'limit' *in following url
to verify c*ross- site scripting attack.*
*Requested URL:*
http://bhuvan-suvidha.nrsc.gov.in/api/base/?limit=10&offset=0&title__icontains=&
*limit=10'%22()%26%25<acx><ScRiPt%20>promp*
*t(971923)</ScRiPt>*
&offset=0&title__icontains=e&type__in=raster&undefined=undefined
*Response for above URL:*
{"error": "Invalid limit '10'\"()&%<acx><ScRiPt >prompt(971923)</ScRiPt>'
provided. Please provide a positive integer."}
Although it is not accepted wrongly given input, but error message contains
user given input in given format. As per cross site scripting when ever any
meta characters( Special Characters) appears in url, *the application
should encode the special characters. Since response not contained encoded
user **given** input,So The given request treated as security alert for *
*cross-site** scripting attack*
Please help me how to make all GET Request parameters to encode before
proceeding further steps
Is that any setting is available for making all the requested GET
parameters to encode in GeoNode /Django?
Thanks&Regards,
Naresh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20181001/45359a87/attachment.html>
More information about the geonode-users
mailing list