Improvement for “Sharing Position with Friends” in MGE based Web GIS Application

4710 단어 application

We just taken about the MapGuide Security Hotfix yestoday, and let’s make some improments to make our "Sharing Position With Friends" more secure as well. To avoid cross site script attack, it would be more secure to valide the parameters before pass it into URL.
code goes below, please pay attention to the code marked as bold.
    protected void Page_Load(object sender, EventArgs e)
    {

        // default flexible weblayout
        string webLayout = @"Library://Samples/Sheboygan/FlexibleLayouts/Slate.ApplicationDefinition";
        string viewerPathSchema = @"http://localhost/mapguide/fusion/templates/mapguide/slate/index.html?ApplicationDefinition={1}&SESSION={0}";


        string defaultUser = "Administrator";
        string defaultPassword = "admin";

        Utility utility = new Utility();

        utility.InitializeWebTier(Request);

        MgUserInformation userInfo = new MgUserInformation(defaultUser, defaultPassword);
        MgSiteConnection siteConnection = new MgSiteConnection();
        siteConnection.Open(userInfo);
        MgSite site = siteConnection.GetSite();
        string sessionId = site.CreateSession();

        //store in session for further use
        Session["sessionId"] = sessionId;

        if (Request["X"] != null && Request["Y"] != null && Request["scale"] != null)
        {
            string centerX = Request["X"].ToString();
            string centerY = Request["Y"].ToString();
            string scale = Request["scale"].ToString();

            // validate the parameter to avoid XSS attack
            if (IsValid(centerX) && IsValid(centerY) && IsValid(scale))
            {
                //Generate the new weblayout resource identifier
                webLayout = utility.ChangeInitialViewInWebLayout(webLayout, sessionId, centerX, centerY, scale);
            }

        }

        string viewerPath = string.Format(viewerPathSchema, sessionId, Server.UrlEncode(webLayout));

        Response.Redirect(viewerPath);

    }

    //Only number is valid 
    private bool IsValid(string input)
    {
        return System.Text.RegularExpressions.Regex.IsMatch(input, @"^(-|\+)?\d+(\.\d+)?$");
    }
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }


 
 
cheers!

좋은 웹페이지 즐겨찾기