curationexperts / cypripedium / 6db8f690-8dce-49c9-9710-88edfedab580

99%

main: 99%

Pull #753

circleci

Patch Qualys flagged unencoded parameters

**ISSUE**
Qualys scans report a large number of potential unencoded character
vulnerabilites. We believe that the application sufficiently protects
from the potential threat vector, but we want to eliminate the
issues from Qualys report to achieve a clean baseline.

**RESOLUTION**
1) Ensure query parameters are escaped before reflecting them back in
search output.
2) Clear any invalid query parameters on invalid requests.

**Qualys Details**
>**Threat**
>The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).
>**Impact**
>No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.
>**Solution**
>Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.

5 of 5 new or added lines in 2 files covered. (100.0%)

1199 of 1216 relevant lines covered (98.6%)

17.32 hits per line