cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tobia Conforto <tobia.confo...@linux.it>
Subject Re: Doing string operations over sitemap values
Date Thu, 14 Feb 2008 12:42:35 GMT
Nacho (Derecho.com) wrote:
> * I have this URL "http://localhost:8080/b/menores-de-edad"
> * In sitemap i have a match like "b/**"
> * I need to do replace "-" in {1} to spaces
> * I do this using an input module inheriting from  
> AbstractJXPathModule, and using a xpath like expression,  
> "{request:translate('{1}','-','')}"

I would write a custom input module that can be called safely like this:
"{translate:-: :{1}}"
It can be implemented using basic java.lang.String methods.

I think your solution doesn't quote the argument correctly and is  
susceptible to "JX code injection" or other problems.
For example the user might go to: http://localhost:8080/b/hello',nasty.java.call(),'world
If I'm not mistaken, the ' after hello would close the Jx string and  
damage would ensue.


Tobia

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org


Mime
View raw message