Just set the value, and set the ScriptsFilter to run before the action. You can set it to empty string.
On Sun, Feb 22, 2009 at 4:26 AM, Darin <darin.dimit...@gmail.com> wrote: > > Ayende, > > Thanks for your reply. If I understand you correctly you are > suggesting me to write a filter that will be applied to all the > actions an it will overwrite the javascript request parameter with the > value inside my CaptureFor component. But how do I get the value of my > CaptureFor component inside a filter? > > public class ScriptsFilter : IFilter > { > public bool Perform(ExecuteEnum exec, IRailsEngineContext context, > Controller controller) > { > controller.PropertyBag["javascript"] = ??? > return true; > } > } > > Could you please give me an example of this? > > > On Feb 22, 3:55 am, Ayende Rahien <aye...@ayende.com> wrote: > > Brail will try getting values from the property bag, then the request.You > > can create a filter to "overwite" the request paramter. > > > > On Sat, Feb 21, 2009 at 11:53 AM, Darin <darin.dimit...@gmail.com> > wrote: > > > > > I am using the CaptureFor component in order to insert some script > > > declarations in the head section of my site. I have the following > > > layout page: > > > > > <!-- default.brail --> > > > <html> > > > <head> > > > ${?javascript} > > > </head> > > > <body> > > > ${?childContent} > > > </body> > > > </html> > > > <!-- end of default.brail --> > > > > > And I use the CaptureFor component in my page like so: > > > > > <!-- index.brail --> > > > <% component CaptureFor, { @id: 'javascript' }: %> > > > <script type="text/javascript" > > > src="some_specific_script_to_index.js"></script> > > > <% end %> > > > <p>Hello world from my first action.</p> > > > <!-- end of index.brail --> > > > > > When I call the index action > withhttp://localhost:3000/home/index.castle, > > > the script is correctly inserted into the head section and the > > > expected html is generated. The problem is when I call the index > > > action with > > >http://localhost:3000/home/index.castle?javascript=SOME_XSS_CODE, > > > then the value from the request parameter is used instead of the > > > contents of my CaptureFor component which causes security issues. On > > > the other hand if I put the value of the javascript variable in the > > > controller's propertybag inside the index action, the propertybag > > > always takes precedence over the request variables but I find it ugly > > > to write such code in the controller. > > > > > As far as I understand, when using the ${?javascript} syntax, the > > > BrailBase.TryGetParameter method is invoked taking a single argument > > > which is the name of the parameter. I couldn't find any syntax that > > > would allow me to specify the scope of the parameter. For example look > > > only into the view components context and ignore request and form > > > variables. Is there something I am missing? I would greatly appreciate > > > any suggestions. > > > > > Kind regards, > > > Darin Dimitrov > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Castle Project Users" group. To post to this group, send email to castle-project-users@googlegroups.com To unsubscribe from this group, send email to castle-project-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/castle-project-users?hl=en -~----------~----~----~----~------~----~------~--~---