Ayende,
Thanks for your reply. If I understand you correctly you are
suggesting me to write a filter that will be applied to all the
actions an it will overwrite the javascript request parameter with the
value inside my CaptureFor component. But how do I get the value of my
CaptureFor component inside a filter?
public class ScriptsFilter : IFilter
{
public bool Perform(ExecuteEnum exec, IRailsEngineContext context,
Controller controller)
{
controller.PropertyBag["javascript"] = ???
return true;
}
}
Could you please give me an example of this?
On Feb 22, 3:55 am, Ayende Rahien <[email protected]> wrote:
> Brail will try getting values from the property bag, then the request.You
> can create a filter to "overwite" the request paramter.
>
> On Sat, Feb 21, 2009 at 11:53 AM, Darin <[email protected]> wrote:
>
> > I am using the CaptureFor component in order to insert some script
> > declarations in the head section of my site. I have the following
> > layout page:
>
> > <!-- default.brail -->
> > <html>
> > <head>
> > ${?javascript}
> > </head>
> > <body>
> > ${?childContent}
> > </body>
> > </html>
> > <!-- end of default.brail -->
>
> > And I use the CaptureFor component in my page like so:
>
> > <!-- index.brail -->
> > <% component CaptureFor, { @id: 'javascript' }: %>
> > <script type="text/javascript"
> > src="some_specific_script_to_index.js"></script>
> > <% end %>
> > <p>Hello world from my first action.</p>
> > <!-- end of index.brail -->
>
> > When I call the index action withhttp://localhost:3000/home/index.castle,
> > the script is correctly inserted into the head section and the
> > expected html is generated. The problem is when I call the index
> > action with
> >http://localhost:3000/home/index.castle?javascript=SOME_XSS_CODE,
> > then the value from the request parameter is used instead of the
> > contents of my CaptureFor component which causes security issues. On
> > the other hand if I put the value of the javascript variable in the
> > controller's propertybag inside the index action, the propertybag
> > always takes precedence over the request variables but I find it ugly
> > to write such code in the controller.
>
> > As far as I understand, when using the ${?javascript} syntax, the
> > BrailBase.TryGetParameter method is invoked taking a single argument
> > which is the name of the parameter. I couldn't find any syntax that
> > would allow me to specify the scope of the parameter. For example look
> > only into the view components context and ignore request and form
> > variables. Is there something I am missing? I would greatly appreciate
> > any suggestions.
>
> > Kind regards,
> > Darin Dimitrov
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Castle Project Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/castle-project-users?hl=en
-~----------~----~----~----~------~----~------~--~---
