Please create a patch+test for this. On Sun, Feb 22, 2009 at 11:54 AM, Darin <darin.dimit...@gmail.com> wrote:
> > Ayende, > > Here's the code of the filter I wrote: > > public class ScriptsFilter : IFilter > { > public bool Perform(ExecuteEnum exec, IRailsEngineContext context, > Controller controller) > { > if (!string.IsNullOrEmpty(context.Request["javascript"])) > { > controller.PropertyBag["javascript"] = string.Empty; > } > return true; > } > } > > I registered the filter to run before all actions in my controller. It > works fine in most cases but I feel there must be a better way. What I > dislike about this approach is that it will insert an empty string if > javascript parameter is passed in the request and it will not use the > value of my CaptureFor component which will break the page. Of course > it will prevent the XSS problems but the page won't work because of > the missing javascript. Also if I decided to add a new "styles" > parameter I will need to remember to add it to the filter, or the site > will be vulnerable again. So what I ended doing is the following. I > modified the code of the > Castle.MonoRail.Views.Brail.BrailBase.GetParameterInternal method > (http://mvccontrib.googlecode.com/svn/trunk/src/ > MvcContrib.BrailViewEngine/BrailBase.cs). Instead of first checking > the current page properties: > > if (properties.Contains(name)) > return new ParameterSearch(properties[name], true); > if (parent != null) > return parent.GetParameterInternal(name); > > I inverted the check to first look for the parameters inside the > parent page: > > if (parent != null) > return parent.GetParameterInternal(name); > if (properties.Contains(name)) > return new ParameterSearch(properties[name], true); > > This slight modification worked like a charm. I haven't found any side > effects so far but if you think I am doing something terribly wrong I > would like to know it. Then I will be left with no other choice but > use filters. Thanks for spending your time reading this. > > Regards, > Darin > > > > > > On Feb 22, 6:31 pm, Ayende Rahien <aye...@ayende.com> wrote: > > Just set the value, and set the ScriptsFilter to run before the action. > > You can set it to empty string. > > > > On Sun, Feb 22, 2009 at 4:26 AM, Darin <darin.dimit...@gmail.com> wrote: > > > > > Ayende, > > > > > Thanks for your reply. If I understand you correctly you are > > > suggesting me to write a filter that will be applied to all the > > > actions an it will overwrite the javascript request parameter with the > > > value inside my CaptureFor component. But how do I get the value of my > > > CaptureFor component inside a filter? > > > > > public class ScriptsFilter : IFilter > > > { > > > public bool Perform(ExecuteEnum exec, IRailsEngineContext context, > > > Controller controller) > > > { > > > controller.PropertyBag["javascript"] = ??? > > > return true; > > > } > > > } > > > > > Could you please give me an example of this? > > > > > On Feb 22, 3:55 am, Ayende Rahien <aye...@ayende.com> wrote: > > > > Brail will try getting values from the property bag, then the > request.You > > > > can create a filter to "overwite" the request paramter. > > > > > > On Sat, Feb 21, 2009 at 11:53 AM, Darin <darin.dimit...@gmail.com> > > > wrote: > > > > > > > I am using the CaptureFor component in order to insert some script > > > > > declarations in the head section of my site. I have the following > > > > > layout page: > > > > > > > <!-- default.brail --> > > > > > <html> > > > > > <head> > > > > > ${?javascript} > > > > > </head> > > > > > <body> > > > > > ${?childContent} > > > > > </body> > > > > > </html> > > > > > <!-- end of default.brail --> > > > > > > > And I use the CaptureFor component in my page like so: > > > > > > > <!-- index.brail --> > > > > > <% component CaptureFor, { @id: 'javascript' }: %> > > > > > <script type="text/javascript" > > > > > src="some_specific_script_to_index.js"></script> > > > > > <% end %> > > > > > <p>Hello world from my first action.</p> > > > > > <!-- end of index.brail --> > > > > > > > When I call the index action > > > withhttp://localhost:3000/home/index.castle, > > > > > the script is correctly inserted into the head section and the > > > > > expected html is generated. The problem is when I call the index > > > > > action with > > > > >http://localhost:3000/home/index.castle?javascript=SOME_XSS_CODE, > > > > > then the value from the request parameter is used instead of the > > > > > contents of my CaptureFor component which causes security issues. > On > > > > > the other hand if I put the value of the javascript variable in the > > > > > controller's propertybag inside the index action, the propertybag > > > > > always takes precedence over the request variables but I find it > ugly > > > > > to write such code in the controller. > > > > > > > As far as I understand, when using the ${?javascript} syntax, the > > > > > BrailBase.TryGetParameter method is invoked taking a single > argument > > > > > which is the name of the parameter. I couldn't find any syntax that > > > > > would allow me to specify the scope of the parameter. For example > look > > > > > only into the view components context and ignore request and form > > > > > variables. Is there something I am missing? I would greatly > appreciate > > > > > any suggestions. > > > > > > > Kind regards, > > > > > Darin Dimitrov > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Castle Project Users" group. To post to this group, send email to castle-project-users@googlegroups.com To unsubscribe from this group, send email to castle-project-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/castle-project-users?hl=en -~----------~----~----~----~------~----~------~--~---