On 14.02.2008 07:42, Tobia Conforto wrote:
Nacho (Derecho.com) wrote:
* I have this URL "http://localhost:8080/b/menores-de-edad";
* In sitemap i have a match like "b/**"
* I need to do replace "-" in {1} to spaces
* I do this using an input module inheriting from
AbstractJXPathModule, and using a xpath like expression,
"{request:translate('{1}','-','')}"
I would write a custom input module that can be called safely like this:
"{translate:-: :{1}}"
It can be implemented using basic java.lang.String methods.
I think your solution doesn't quote the argument correctly and is
susceptible to "JX code injection" or other problems.
For example the user might go to:
http://localhost:8080/b/hello',nasty.java.call(),'world
If I'm not mistaken, the ' after hello would close the Jx string and
damage would ensue.
It's JXPath, not JXTemplate. Does it evaluate Java calls at all?
If your example really works, http://localhost:8080/b/nasty.java.call()
will as well.
Joerg
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
