tags:

views:

200

answers:

2
+1  Q: 

Cocoon escape query parameters problem

Hello,

I'm maintaining Cocoon 2.1 application and I faced serious problem with request parameters.

Consider following url:

http://myapp.com/somePage.html?param1=<expected_integer_value>&param2=<expected_integer_value>

Both param1 and param2 are directly passed into transformer as parameters (<map:parameter />) and then directly used in javascript code using attribute value template:

`<select ... onchange="someFunction(this, '{$param1}','{$param2}');" >`

The problem is that it is possible to inject some JavaScript code in parameters and they are not escaped by default (nevertheless all articles about cocoon and xslt says that output is escaped by default).

Perhaps someone more experienced with cocoon and xsl may know something about this problem? How can I escape output in cocoon? I will appreciate any help and guidance.

Thanks in advance

Simon

A: 

since cocoon decodes the prams i suggest you make a simple translate to avoid problem with non-escaped parameter:

<select ... onchange="someFunction(this, '{translate($param1,"'", "")}','{translate($param1,"'", "")}');" >

see http://www.zvon.org/xxl/XSLTreference/Output/function%5Ftranslate.html

Niko  2009-08-16 21:07:01
Thanks for your reply, however this solution is not sufficient for me. It will not cover all of the not allowed characters and it has to be applied in all of the xsl files. I'm looking for more general solution.
Simon  2009-08-17 06:58:22
A: 

I managed to find a solution for this problem. In sitemap file, each parameter that has to be passed directly from url to xslt file has to be escaped using url-encode function. Example

<map:parameter name="param1" value="{url-encode:{request-param:theNameOfTheParam}}" />'

Regards Simon

Simon  2009-08-17 07:04:06

related questions

xslt and xpath: match conditionally upon current node value
How can I make an exact copy of a xml node's children with XSLT?
How to escape XML content with XSL to safely output it as JSON?
How do I convert a .docx to html using asp.net?
Using XSLT, How Do You Insert XML Into an existing XML node
How can I lay images out in a grid using XSL-FO?
How to validate an XML file against a schema using Visual Studio 2005
What is a good resource for learning XSL?
xslt: apply-templates in reverse order
How do you add an image in XSLT?
If you were programming a calendar in HTML would you use Table tags or Div tags?
How to Convert a StreamReader into an XMLReader object in .Net 2.0/C#
Can I create a value for a missing tag in XPath?
ASP.NET MVC vs. XSL
How to apply an XSLT Stylesheet in C#
XSLT dividing a list of nodes in half
XSLT nodesets Length
using a html entity in xslt (e.g. &nbsp;)
XSLT Find and Replace with Unique
XSL Dynamic Element Names
XSLT - Reverse Find in a string
VS2008 SP1 crashes when debugging an XSLT file
Is it "bad practice" to be sensitive to linebreaks in XML documents?
How do you use a variable in xsl when trying to select a node?
.Net XML comment into API Documentation