Change the way of request sent from 'GET' to 'POST' parameter

[Bikash-Bhatta]

If one uses get parameter in the html code to send the request to the server the data we type is reflected in the url itself. This can be tampered directly in the url rather using the input field and hence may be used to tamper with the HTML code or the JS script i.e. vulnerable to Cross Site Scripting(XSS).
Hence change the request parameter to POST so that information is not reflected in the URL.

Here I have given a example of it. Although the js command is not executed but one can do it through other possibilities in future.
Here whatever I have written in the url is reflected in the search result.
Actually there is no need of search box now, one can directly type in the url to find the desired result
So it will be better if the request parameter is changed to post.

[11DE784A]

Hi. Thanks for raising this issue!

Disclaimer: It has been a while since I was involved with web applications, so this may not be entirely up to date. @Abhishek-Deshmukh: Please verify and make changes (if any) before closing this issue.

Django escapes "dangerous" characters like <, >, &, etc. by default while rendering the template. You can read about this in the Django documentation. While there are situations where escaping bad characters is not sufficient, this is not one of them.

Even if this were a problem, changing the request type to POST would not fix it --- the bad query will get rendered as above no matter the request type. Moreover, as a search does not make any changes in the server, using a POST request would make the HTML semantically incorrect.

PS: You can take a look at the view that handles search and the template that renders the search query.

[PeithonKing]

So @11DE784A is this a valid bug? The question arises because we know Django is secure enough and those developers are working day and night to fix these types of things. Moreover, @Bikash-Bhatta had not been able to raise a real threat situation.

So... should I close this issue or put it up for fixing?