[donjon] [MonoRail] MR-ISSUE-519 Created "Request parameters take precedence over CaptureFor content when using layouts"

Sat, 21 Feb 2009 10:38:06 -0800 

Hi there, 
        
The issue MR-ISSUE-519 was just created by dimitrod (dimitrod2).
        
        Key: MR-ISSUE-519
        Summary: Request parameters take precedence over CaptureFor content 
when using layouts
        Type: Bug
        Importance: High
        
        Description:
        When using layouts request parameters take precedence over content used 
inside CaptureFor component. Here's a sample:
<!-- default.brail -->
<html>
<head>${?javascript}</head>
<body>${?ChildOutput}</body>
</html>
<!-- end of default.brail -->
<!-- index.brail -->
<% component CaptureFor, { @id: 'javascript' }: %>
    <script type="text/javascript"
src="some_specific_script_to_index.js"></script>
<% end %>
<p>Hello world from my first action.</p>
<!-- end of index.brail -->
Invoke the index action with: 
http://SERVER:PORT/home/index.castle?javascript=SOME_XSS
"SOME_XSS" is inserted in the head section instead of the content defined 
inside the CaptureFor component.
The affected method is 
Castle.MonoRail.Views.Brail.BrailBase.GetParameterInternal 
(http://mvccontrib.googlecode.com/svn/trunk/src/MvcContrib.BrailViewEngine/BrailBase.cs)
It first checks for the properties in the current page and then in the parent:
if (properties.Contains(name))
    return new ParameterSearch(properties[name], true);
if (parent != null)
    return parent.GetParameterInternal(name);
Inverting the order of the check corrects the problem:
if (parent != null)
    return parent.GetParameterInternal(name);
if (properties.Contains(name))
    return new ParameterSearch(properties[name], true);
Unfortunately I am not well acquainted with the Brail view engine code base so 
I don't know if this change would have some side effects. I would appreciate if 
someone more familiar could shed some light on the issue.
Kind regards,
Darin
        
For more, see 
http://support.castleproject.org/projects/MR/issues/view/MR-ISSUE-519
 
        
--
donjon
by Castle Stronghold
http://www.castle-donjon.com



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Castle Project Development List" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/castle-project-devel?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to