Please create a patch+test for this.
On Sun, Feb 22, 2009 at 11:54 AM, Darin <darin.dimit...@gmail.com> wrote:
>
> Ayende,
>
> Here's the code of the filter I wrote:
>
> public class ScriptsFilter : IFilter
> {
> public bool Perform(ExecuteEnum exec, IRailsEngineContext context,
> Controller controller)
> {
> if (!string.IsNullOrEmpty(context.Request["javascript"]))
> {
> controller.PropertyBag["javascript"] = string.Empty;
> }
> return true;
> }
> }
>
> I registered the filter to run before all actions in my controller. It
> works fine in most cases but I feel there must be a better way. What I
> dislike about this approach is that it will insert an empty string if
> javascript parameter is passed in the request and it will not use the
> value of my CaptureFor component which will break the page. Of course
> it will prevent the XSS problems but the page won't work because of
> the missing javascript. Also if I decided to add a new "styles"
> parameter I will need to remember to add it to the filter, or the site
> will be vulnerable again. So what I ended doing is the following. I
> modified the code of the
> Castle.MonoRail.Views.Brail.BrailBase.GetParameterInternal method
> (http://mvccontrib.googlecode.com/svn/trunk/src/
> MvcContrib.BrailViewEngine/BrailBase.cs). Instead of first checking
> the current page properties:
>
> if (properties.Contains(name))
> return new ParameterSearch(properties[name], true);
> if (parent != null)
> return parent.GetParameterInternal(name);
>
> I inverted the check to first look for the parameters inside the
> parent page:
>
> if (parent != null)
> return parent.GetParameterInternal(name);
> if (properties.Contains(name))
> return new ParameterSearch(properties[name], true);
>
> This slight modification worked like a charm. I haven't found any side
> effects so far but if you think I am doing something terribly wrong I
> would like to know it. Then I will be left with no other choice but
> use filters. Thanks for spending your time reading this.
>
> Regards,
> Darin
>
>
>
>
>
> On Feb 22, 6:31 pm, Ayende Rahien <aye...@ayende.com> wrote:
> > Just set the value, and set the ScriptsFilter to run before the action.
> > You can set it to empty string.
> >
> > On Sun, Feb 22, 2009 at 4:26 AM, Darin <darin.dimit...@gmail.com> wrote:
> >
> > > Ayende,
> >
> > > Thanks for your reply. If I understand you correctly you are
> > > suggesting me to write a filter that will be applied to all the
> > > actions an it will overwrite the javascript request parameter with the
> > > value inside my CaptureFor component. But how do I get the value of my
> > > CaptureFor component inside a filter?
> >
> > > public class ScriptsFilter : IFilter
> > > {
> > > public bool Perform(ExecuteEnum exec, IRailsEngineContext context,
> > > Controller controller)
> > > {
> > > controller.PropertyBag["javascript"] = ???
> > > return true;
> > > }
> > > }
> >
> > > Could you please give me an example of this?
> >
> > > On Feb 22, 3:55 am, Ayende Rahien <aye...@ayende.com> wrote:
> > > > Brail will try getting values from the property bag, then the
> request.You
> > > > can create a filter to "overwite" the request paramter.
> >
> > > > On Sat, Feb 21, 2009 at 11:53 AM, Darin <darin.dimit...@gmail.com>
> > > wrote:
> >
> > > > > I am using the CaptureFor component in order to insert some script
> > > > > declarations in the head section of my site. I have the following
> > > > > layout page:
> >
> > > > > <!-- default.brail -->
> > > > > <html>
> > > > > <head>
> > > > > ${?javascript}
> > > > > </head>
> > > > > <body>
> > > > > ${?childContent}
> > > > > </body>
> > > > > </html>
> > > > > <!-- end of default.brail -->
> >
> > > > > And I use the CaptureFor component in my page like so:
> >
> > > > > <!-- index.brail -->
> > > > > <% component CaptureFor, { @id: 'javascript' }: %>
> > > > > <script type="text/javascript"
> > > > > src="some_specific_script_to_index.js"></script>
> > > > > <% end %>
> > > > > <p>Hello world from my first action.</p>
> > > > > <!-- end of index.brail -->
> >
> > > > > When I call the index action
> > > withhttp://localhost:3000/home/index.castle,
> > > > > the script is correctly inserted into the head section and the
> > > > > expected html is generated. The problem is when I call the index
> > > > > action with
> > > > >http://localhost:3000/home/index.castle?javascript=SOME_XSS_CODE,
> > > > > then the value from the request parameter is used instead of the
> > > > > contents of my CaptureFor component which causes security issues.
> On
> > > > > the other hand if I put the value of the javascript variable in the
> > > > > controller's propertybag inside the index action, the propertybag
> > > > > always takes precedence over the request variables but I find it
> ugly
> > > > > to write such code in the controller.
> >
> > > > > As far as I understand, when using the ${?javascript} syntax, the
> > > > > BrailBase.TryGetParameter method is invoked taking a single
> argument
> > > > > which is the name of the parameter. I couldn't find any syntax that
> > > > > would allow me to specify the scope of the parameter. For example
> look
> > > > > only into the view components context and ignore request and form
> > > > > variables. Is there something I am missing? I would greatly
> appreciate
> > > > > any suggestions.
> >
> > > > > Kind regards,
> > > > > Darin Dimitrov
> >
> >
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Castle Project Users" group.
To post to this group, send email to castle-project-users@googlegroups.com
To unsubscribe from this group, send email to
castle-project-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/castle-project-users?hl=en
-~----------~----~----~----~------~----~------~--~---
