Cocoon escape query parameters problem

Question

I'm maintaining Cocoon 2.1 application and I faced serious problem with request parameters.

Consider following url:

http://myapp.com/somePage.html?param1=<expected_integer_value>&param2=<expected_integer_value>

Both param1 and param2 are directly passed into transformer as parameters (<map:parameter />) and then directly used in javascript code using attribute value template:

`<select ... onchange="someFunction(this, '{$param1}','{$param2}');" >`

The problem is that it is possible to inject some JavaScript code in parameters and they are not escaped by default (nevertheless all articles about cocoon and xslt says that output is escaped by default).

Perhaps someone more experienced with cocoon and xsl may know something about this problem? How can I escape output in cocoon? I will appreciate any help and guidance.

Thanks in advance

Simon

Answer 1

I managed to find a solution for this problem. In sitemap file, each parameter that has to be passed directly from url to xslt file has to be escaped using url-encode function. Example

<map:parameter name="param1" value="{url-encode:{request-param:theNameOfTheParam}}" />'

Regards Simon

Answer 2

since cocoon decodes the prams i suggest you make a simple translate to avoid problem with non-escaped parameter:

<select ... onchange="someFunction(this, '{translate($param1,"'", "")}','{translate($param1,"'", "")}');" >

see http://www.zvon.org/xxl/XSLTreference/Output/function_translate.html