Brail will try getting values from the property bag, then the request.You can create a filter to "overwite" the request paramter.
On Sat, Feb 21, 2009 at 11:53 AM, Darin <[email protected]> wrote: > > I am using the CaptureFor component in order to insert some script > declarations in the head section of my site. I have the following > layout page: > > <!-- default.brail --> > <html> > <head> > ${?javascript} > </head> > <body> > ${?childContent} > </body> > </html> > <!-- end of default.brail --> > > And I use the CaptureFor component in my page like so: > > <!-- index.brail --> > <% component CaptureFor, { @id: 'javascript' }: %> > <script type="text/javascript" > src="some_specific_script_to_index.js"></script> > <% end %> > <p>Hello world from my first action.</p> > <!-- end of index.brail --> > > When I call the index action with http://localhost:3000/home/index.castle, > the script is correctly inserted into the head section and the > expected html is generated. The problem is when I call the index > action with > http://localhost:3000/home/index.castle?javascript=SOME_XSS_CODE, > then the value from the request parameter is used instead of the > contents of my CaptureFor component which causes security issues. On > the other hand if I put the value of the javascript variable in the > controller's propertybag inside the index action, the propertybag > always takes precedence over the request variables but I find it ugly > to write such code in the controller. > > As far as I understand, when using the ${?javascript} syntax, the > BrailBase.TryGetParameter method is invoked taking a single argument > which is the name of the parameter. I couldn't find any syntax that > would allow me to specify the scope of the parameter. For example look > only into the view components context and ignore request and form > variables. Is there something I am missing? I would greatly appreciate > any suggestions. > > Kind regards, > Darin Dimitrov > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Castle Project Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/castle-project-users?hl=en -~----------~----~----~----~------~----~------~--~---
