zoukankan      html  css  js  c++  java

  • Improvement for “Sharing Position with Friends” in MGE based Web GIS Application

    We just taked about the MapGuide Security Hotfix yestoday, and let’s make some improments to make our “Sharing Position With Friends” more secure as well. To avoid cross site script attack, it would be more secure to valide the parameters before pass it into URL.

    code goes below, please pay attention to the code marked as bold.

        protected void Page_Load(object sender, EventArgs e)
    {

        // default flexible weblayout
        string webLayout = @"Library://Samples/Sheboygan/FlexibleLayouts/Slate.ApplicationDefinition";
        string viewerPathSchema = @"http://localhost/mapguide/fusion/templates/mapguide/slate/index.html?ApplicationDefinition={1}&SESSION={0}";


        string defaultUser = "Administrator";
        string defaultPassword = "admin";

        Utility utility = new Utility();

        utility.InitializeWebTier(Request);

        MgUserInformation userInfo = new MgUserInformation(defaultUser, defaultPassword);
        MgSiteConnection siteConnection = new MgSiteConnection();
        siteConnection.Open(userInfo);
        MgSite site = siteConnection.GetSite();
        string sessionId = site.CreateSession();

        //store in session for further use
        Session["sessionId"] = sessionId;

        if (Request["X"] != null && Request["Y"] != null && Request["scale"] != null)
        {
            string centerX = Request["X"].ToString();
            string centerY = Request["Y"].ToString();
            string scale = Request["scale"].ToString();

            // validate the parameter to avoid XSS attack
            if (IsValid(centerX) && IsValid(centerY) && IsValid(scale))
            {
                //Generate the new weblayout resource identifier
                webLayout = utility.ChangeInitialViewInWebLayout(webLayout, sessionId, centerX, centerY, scale);
            }

        }

        string viewerPath = string.Format(viewerPathSchema, sessionId, Server.UrlEncode(webLayout));

        Response.Redirect(viewerPath);

    }

    //Only number is valid 
    private bool IsValid(string input)
    {
        return System.Text.RegularExpressions.Regex.IsMatch(input, @"^(-|\+)?\d+(\.\d+)?$");
    }

    cheers!

    作者:峻祁连
    邮箱:junqilian@163.com
    出处:http://junqilian.cnblogs.com
    转载请保留此信息。
  • 相关阅读:
    Flask 路由映射对于双斜线的处理 //a//b
    python中的导入如何使用,以及.和..相对导入的使用
    tornado 启动WSGI应用(Flask)使用多线程将同步代码变成异步
    flask的请求处理流程和异常处理流程
    pyengine介绍及使用
    __import__
    如何为自己的pip包打造可以执行的系统命令
    JS进阶之原型
    JS基础之对象
    CSS之深入探究Position
  • 原文地址:https://www.cnblogs.com/junqilian/p/1706696.html
Copyright © 2011-2022 走看看