From ca2fec890dede2c34836ca6a108b5975c337713e Mon Sep 17 00:00:00 2001 From: Matt McFarland Date: Thu, 2 Mar 2023 13:44:50 -0500 Subject: [PATCH] Quote escape qs values before templating to map (#156) We previously santitized the input for malicious scripts, but also need to escape characters that could still lead to XSS. --- pctiler/pctiler/endpoints/item.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pctiler/pctiler/endpoints/item.py b/pctiler/pctiler/endpoints/item.py index 2148b920..c2a89b4d 100644 --- a/pctiler/pctiler/endpoints/item.py +++ b/pctiler/pctiler/endpoints/item.py @@ -1,11 +1,11 @@ -from urllib.parse import urljoin +from urllib.parse import quote_plus, urljoin from fastapi import Query, Request, Response from fastapi.templating import Jinja2Templates +from html_sanitizer.sanitizer import Sanitizer from starlette.responses import HTMLResponse from titiler.core.factory import MultiBaseTilerFactory -from titiler.pgstac.dependencies import ItemPathParams -from html_sanitizer.sanitizer import Sanitizer +from titiler.pgstac.dependencies import ItemPathParams # removed in titiler.pgstac 3.0 from pccommon.config import get_render_config from pctiler.colormaps import PCColorMapParams @@ -50,8 +50,8 @@ def map( # Sanitize collection and item to avoid XSS when the values are templated # into the rendered html page sanitizer = Sanitizer() - collection_sanitized = sanitizer.sanitize(collection) - item_sanitized = sanitizer.sanitize(item) + collection_sanitized = quote_plus(sanitizer.sanitize(collection)) + item_sanitized = quote_plus(sanitizer.sanitize(item)) qs = render_config.get_full_render_qs(collection_sanitized, item_sanitized) tilejson_url = pc_tile_factory.url_for(request, "tilejson")