I am using the CaptureFor component in order to insert some script
declarations in the head section of my site. I have the following
layout page:
<!-- default.brail -->
<html>
<head>
${?javascript}
</head>
<body>
${?childContent}
</body>
</html>
<!-- end of default.brail -->
And I use the CaptureFor component in my page like so:
<!-- index.brail -->
<% component CaptureFor, { @id: 'javascript' }: %>
<script type="text/javascript"
src="some_specific_script_to_index.js"></script>
<% end %>
<p>Hello world from my first action.</p>
<!-- end of index.brail -->
When I call the index action with http://localhost:3000/home/index.castle,
the script is correctly inserted into the head section and the
expected html is generated. The problem is when I call the index
action with http://localhost:3000/home/index.castle?javascript=SOME_XSS_CODE,
then the value from the request parameter is used instead of the
contents of my CaptureFor component which causes security issues. On
the other hand if I put the value of the javascript variable in the
controller's propertybag inside the index action, the propertybag
always takes precedence over the request variables but I find it ugly
to write such code in the controller.
As far as I understand, when using the ${?javascript} syntax, the
BrailBase.TryGetParameter method is invoked taking a single argument
which is the name of the parameter. I couldn't find any syntax that
would allow me to specify the scope of the parameter. For example look
only into the view components context and ignore request and form
variables. Is there something I am missing? I would greatly appreciate
any suggestions.
Kind regards,
Darin Dimitrov
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Castle Project Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/castle-project-users?hl=en
-~----------~----~----~----~------~----~------~--~---
