Just set the value, and set the ScriptsFilter to run before the action.
You can set it to empty string.
On Sun, Feb 22, 2009 at 4:26 AM, Darin <darin.dimit...@gmail.com> wrote:
>
> Ayende,
>
> Thanks for your reply. If I understand you correctly you are
> suggesting me to write a filter that will be applied to all the
> actions an it will overwrite the javascript request parameter with the
> value inside my CaptureFor component. But how do I get the value of my
> CaptureFor component inside a filter?
>
> public class ScriptsFilter : IFilter
> {
> public bool Perform(ExecuteEnum exec, IRailsEngineContext context,
> Controller controller)
> {
> controller.PropertyBag["javascript"] = ???
> return true;
> }
> }
>
> Could you please give me an example of this?
>
>
> On Feb 22, 3:55 am, Ayende Rahien <aye...@ayende.com> wrote:
> > Brail will try getting values from the property bag, then the request.You
> > can create a filter to "overwite" the request paramter.
> >
> > On Sat, Feb 21, 2009 at 11:53 AM, Darin <darin.dimit...@gmail.com>
> wrote:
> >
> > > I am using the CaptureFor component in order to insert some script
> > > declarations in the head section of my site. I have the following
> > > layout page:
> >
> > > <!-- default.brail -->
> > > <html>
> > > <head>
> > > ${?javascript}
> > > </head>
> > > <body>
> > > ${?childContent}
> > > </body>
> > > </html>
> > > <!-- end of default.brail -->
> >
> > > And I use the CaptureFor component in my page like so:
> >
> > > <!-- index.brail -->
> > > <% component CaptureFor, { @id: 'javascript' }: %>
> > > <script type="text/javascript"
> > > src="some_specific_script_to_index.js"></script>
> > > <% end %>
> > > <p>Hello world from my first action.</p>
> > > <!-- end of index.brail -->
> >
> > > When I call the index action
> withhttp://localhost:3000/home/index.castle,
> > > the script is correctly inserted into the head section and the
> > > expected html is generated. The problem is when I call the index
> > > action with
> > >http://localhost:3000/home/index.castle?javascript=SOME_XSS_CODE,
> > > then the value from the request parameter is used instead of the
> > > contents of my CaptureFor component which causes security issues. On
> > > the other hand if I put the value of the javascript variable in the
> > > controller's propertybag inside the index action, the propertybag
> > > always takes precedence over the request variables but I find it ugly
> > > to write such code in the controller.
> >
> > > As far as I understand, when using the ${?javascript} syntax, the
> > > BrailBase.TryGetParameter method is invoked taking a single argument
> > > which is the name of the parameter. I couldn't find any syntax that
> > > would allow me to specify the scope of the parameter. For example look
> > > only into the view components context and ignore request and form
> > > variables. Is there something I am missing? I would greatly appreciate
> > > any suggestions.
> >
> > > Kind regards,
> > > Darin Dimitrov
> >
> >
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Castle Project Users" group.
To post to this group, send email to castle-project-users@googlegroups.com
To unsubscribe from this group, send email to
castle-project-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/castle-project-users?hl=en
-~----------~----~----~----~------~----~------~--~---
