Ayende,
Here's the code of the filter I wrote:
public class ScriptsFilter : IFilter
{
public bool Perform(ExecuteEnum exec, IRailsEngineContext context,
Controller controller)
{
if (!string.IsNullOrEmpty(context.Request["javascript"]))
{
controller.PropertyBag["javascript"] = string.Empty;
}
return true;
}
}
I registered the filter to run before all actions in my controller. It
works fine in most cases but I feel there must be a better way. What I
dislike about this approach is that it will insert an empty string if
javascript parameter is passed in the request and it will not use the
value of my CaptureFor component which will break the page. Of course
it will prevent the XSS problems but the page won't work because of
the missing javascript. Also if I decided to add a new "styles"
parameter I will need to remember to add it to the filter, or the site
will be vulnerable again. So what I ended doing is the following. I
modified the code of the
Castle.MonoRail.Views.Brail.BrailBase.GetParameterInternal method
(http://mvccontrib.googlecode.com/svn/trunk/src/
MvcContrib.BrailViewEngine/BrailBase.cs). Instead of first checking
the current page properties:
if (properties.Contains(name))
return new ParameterSearch(properties[name], true);
if (parent != null)
return parent.GetParameterInternal(name);
I inverted the check to first look for the parameters inside the
parent page:
if (parent != null)
return parent.GetParameterInternal(name);
if (properties.Contains(name))
return new ParameterSearch(properties[name], true);
This slight modification worked like a charm. I haven't found any side
effects so far but if you think I am doing something terribly wrong I
would like to know it. Then I will be left with no other choice but
use filters. Thanks for spending your time reading this.
Regards,
Darin
On Feb 22, 6:31 pm, Ayende Rahien <[email protected]> wrote:
> Just set the value, and set the ScriptsFilter to run before the action.
> You can set it to empty string.
>
> On Sun, Feb 22, 2009 at 4:26 AM, Darin <[email protected]> wrote:
>
> > Ayende,
>
> > Thanks for your reply. If I understand you correctly you are
> > suggesting me to write a filter that will be applied to all the
> > actions an it will overwrite the javascript request parameter with the
> > value inside my CaptureFor component. But how do I get the value of my
> > CaptureFor component inside a filter?
>
> > public class ScriptsFilter : IFilter
> > {
> > public bool Perform(ExecuteEnum exec, IRailsEngineContext context,
> > Controller controller)
> > {
> > controller.PropertyBag["javascript"] = ???
> > return true;
> > }
> > }
>
> > Could you please give me an example of this?
>
> > On Feb 22, 3:55 am, Ayende Rahien <[email protected]> wrote:
> > > Brail will try getting values from the property bag, then the request.You
> > > can create a filter to "overwite" the request paramter.
>
> > > On Sat, Feb 21, 2009 at 11:53 AM, Darin <[email protected]>
> > wrote:
>
> > > > I am using the CaptureFor component in order to insert some script
> > > > declarations in the head section of my site. I have the following
> > > > layout page:
>
> > > > <!-- default.brail -->
> > > > <html>
> > > > <head>
> > > > ${?javascript}
> > > > </head>
> > > > <body>
> > > > ${?childContent}
> > > > </body>
> > > > </html>
> > > > <!-- end of default.brail -->
>
> > > > And I use the CaptureFor component in my page like so:
>
> > > > <!-- index.brail -->
> > > > <% component CaptureFor, { @id: 'javascript' }: %>
> > > > <script type="text/javascript"
> > > > src="some_specific_script_to_index.js"></script>
> > > > <% end %>
> > > > <p>Hello world from my first action.</p>
> > > > <!-- end of index.brail -->
>
> > > > When I call the index action
> > withhttp://localhost:3000/home/index.castle,
> > > > the script is correctly inserted into the head section and the
> > > > expected html is generated. The problem is when I call the index
> > > > action with
> > > >http://localhost:3000/home/index.castle?javascript=SOME_XSS_CODE,
> > > > then the value from the request parameter is used instead of the
> > > > contents of my CaptureFor component which causes security issues. On
> > > > the other hand if I put the value of the javascript variable in the
> > > > controller's propertybag inside the index action, the propertybag
> > > > always takes precedence over the request variables but I find it ugly
> > > > to write such code in the controller.
>
> > > > As far as I understand, when using the ${?javascript} syntax, the
> > > > BrailBase.TryGetParameter method is invoked taking a single argument
> > > > which is the name of the parameter. I couldn't find any syntax that
> > > > would allow me to specify the scope of the parameter. For example look
> > > > only into the view components context and ignore request and form
> > > > variables. Is there something I am missing? I would greatly appreciate
> > > > any suggestions.
>
> > > > Kind regards,
> > > > Darin Dimitrov
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Castle Project Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/castle-project-users?hl=en
-~----------~----~----~----~------~----~------~--~---
