I don't know if the following change is an issue or it is intended.
<g:include view="line.gsp" params="['label':'test', 'progress':false]"/>
Then the expression in line.gsp aways evaluates to true, because the type of the 'progress' param is String, not Boolean.
class is: ${params.progress.getClass()}
<g:if test="${params.progress}">
this should not be displayed
</g:if>
Note that the same is applicable for other types, not just Boolean.
I am using grails 3.3.8
This didn't happen in grails 2.5.2.
I didn't find anything about this online so that's why I am asking here. Thanks.
Edit:
As suggested by Daniel, I've tried with grails 3.3.2 also.
I just created an app with grails create-app and modified the existing index.gsp to include line.gsp, as shown in the code above.
Here is a screenshot:
I realize you have already found a workaround to this, but it was bothering me that your code was not working the same way mine was, so I decided to investigate a bit further in case anyone else runs into this issue.
As other people here have mentioned, params.anything will typically return a String value. This is because params are typically encoded as URI parameters (like ?progress=false) and not autoboxed into any other type. (This is perfectly reasonable; there would be no good way for Grails to know what type they should be.) However, it is possible (and occasionally reasonable) to render your view or template from a controller like render view: whatever, model: [your: model, params: params] where you specifically include params in the model. (Perhaps you have a lot of parameters that you do not need to individually recreate in the model.) In this case, the params map will exist as both URI parameters (?progress=false) and page-scoped model entry (params: [progress: Boolean.FALSE]). Page scope takes priority over URI parameters, and so your types will be preserved.
In my testing, I added your code to an existing page where I was already passing params into the model, and so type was preserved for a newly added parameter as well. (Note that once params are in page scope, they're there for included templates or views as well.) Consequently, I saw progress type of Boolean, while in a basic example it would be type String.
TL/DR: either assume params are strings, or explicitly include params in your page-scoped model when rendering.
Yes, this is true. When you are calling params.something, you are actually accessing GrailsParameterMap which is a Map. So your condition actually evaluates as Map->get() which will be Object->toString() and of course it is true cause it's not null and not empty. So the solution will be the following:
<g:if test="${params.getBoolean("progress")}">
this should not be displayed
</g:if>
You can test this as follows
<g:if test="${params.progress && params.progress == 'false'}">
this should not be displayed
</g:if>
Related
I have a search page where I update the URL params on the page as filters are added or removed by the user. This allows me to deep link into the page (ie. going to /search?location=new+york&time=afternoon will set the location and afternoon filters).
I also have a filter named format. I noticed that passing in ?format=whatevervalue to the URL and then reloading the page with that param causes Rails to return a Completed 406 Not Acceptable error. It seems that format is a reserved Rails URL parameter.
Is there anyway to unreserve this parameter name for a particular endpoint?
In the context of an URL in Ruby on Rails there are at least four reserved parameter names: controller, method, id, format.
You cannot use these keys for anything else than for their intended purpose.
If you try to you will override the value internally set by Rails. In your example by setting ?format=whatevervalue you override the default format (html) and your application will try to find and render a whatevervalue template instead of the html formatted template. This will obviously not work.
Fun fact: Instead of using the default Rails path format like /users/123/edit you could use query parameters instead like this: /?controller=users&id=123&method=edit&format&html.
My suggestion is: Do not try to fight Rails conventions. Whenever you try to work around basic Rails conventions it will hurt you later on because it makes updates more difficult, common gems might break, unexpected side-effects will happen. Just use another name for that parameter.
Using the custom url mappings in grails the one would expect the following behavior:
all g.createLink and g.link by default do filtering of the optional attribute params based on Urlmappings.groovy logic. The rest of page params are ignored as irrelevant for the particular url.
Actually this doesn't happen. And the workaround is to provide all link params manually:
<g:link action="action" controller="controller" params="[duplicated entries from url mappings]">my custom params link mapped in UrlMappings</g:link>
Case the page params completelly passed as url params the one becomes a wierd url with custom mapping plus the rest of page params.
There is no duplication. You need to define what parameters are defined in your path (just placeholders). If you generate a link you need to provide the values for those parameters. The values cannot be automatically derived.
The only thing you can do, is to beautify the notation using namedMappings. The advantage of this is, that you get at least an error message, if you have forgotten to pass in some required variables.
Or you define your own link tag, which automatically filters from the global params map.
I'm trying to find out if a Flash application can create a POST request, where some of the names of the posted items include the "." character?
The background:
I’m working with someone who is writing a Flash application that has to POST data to the server. I'm working on the web application which receives and saves the data. As such, I know little about the inner workings of Flash myself.
To allow automated data-binding at the server (within Microsoft MVC), I want the names of the POST items to use a particular naming convention. So if I want to receive the results of two tests, I would like the POST items to use the names:
Tests[0].Score
Tests[0].Passed
Tests[1].Score
Tests[1].Passed
If this data was being submitted from a plain-old HTML form, this would be something like:
<input id="Areas_0__Score" name="Tests[0].Score" type="text" value="70" />
<input id="Areas_0__Passed" name="Tests[0].Passed" type="text" value="true" />
However, the developer says that when constructing a POST request within Flash, any items with a “.” in the name are ignored, and not included in the POST request.
Is this a known limitation of Flash, or should it be possible to include a “.” in the POST item names, as I would like?
Thanks for in advance for any ideas.
The AS3 URLVariables object used to create the post variables is a object. With falsh's syntax, something like foo.bar would mean bar is a descendent/child/property of the foo object. URLVariables are, ultimately, objects also, thus something like Tests[0].Score is not the a valid name for an object. See this example: URLVariables examples
Especially:
var variables:URLVariables = new URLVariables();
variables.exampleSessionId = new Date().getTime();
Makeing a variable like you suggest would not work because of this dot syntax used for object properties/descendants:
variables.Tests[0].Score would, to Flash, mean something like: The variables object has a property called Test[0], which has a property called Score - which makes no sense/is faulty actionscript. As Flash converts the URLVariables object with its attributes into the actual HTTP post, it fails when the attributes have attributes.
I got an exception in a web app I'm developing recently from a url something like:
http://domain.com/script.js?bcsi-ac-16E7C1CCF9EF6357=1C76413C00000002kmNHGZK2deV0Qz25TXynq3fMaPTrBAAAAgAAAD5tGgCEAwAACAAAAPUiAgA=
First of all - what in the world is that? From searching it sounds like maybe it's a cookie / session variable of some kind...
Second of all, the exception was about dynamic assignment of a constant. I tried a simpler url:
http://domain.com/script.js?bcsi-ac
And that gave an exception about the variable or method 'bcsi' not being defined, as if it were trying to evaluate it... WHAT!? I sure as hell hope people can't cause my Rails app to evaluate random code just by passing it to the querystring...
To provide more detail: I'm not doing anything unusual with the querystring data in the route or the controller. I just take the params and pass them into a partial as locals (admittedly not the cleanest way to do it, but simple - and that certainly shouldn't cause it to evaluate a parameter name as code?)
OKAY! Answering my own question again. It turns out passing params in as locals to a partial DOES cause it to evaluate the parameter name as code - obviously it can't use the variable name "bcsi-ac" so it tries to evaluate it.
But the question as to whether that poses a security risk still remains... I don't seem to be able to call methods on things, or actually assign things... but maybe I just haven't tried hard enough. It would seem to me that rails should just throw an exception when passing in a locals hash that includes an invalid variable name.
as a general rule of thumb, any time you allow strings from your url to be evaluated as code you are setting up a huge security risk in your application. you might not be able to call methods on locals as your methods exist server side and the code you are evaluating is client side, but this certainly opens your site up to XSS vulnerabilities among others...
I have hashmap that was created on a page using the struts2 <s:set> tag. It looks something like this
<s:set var="mymap" value="#request.mymap"/>
At some point in the page, i need to get a value from the hashmap based upon a key, and i want to do it using OGNL.
The key is generated based upon some logic, which i store using another <s:set> tag. Something like this
<s:set var="mykey" value="1">
I need to get a value from the hashmap using this key. And I need to display it.
How do I simply call the get function on the hashmap?
I tried this
<s:property value="#mymap[#mykey]"/>
and this
<s:property value="#mymap[%{#mykey}]"/>
and this
<s:property value="%{#mymap[%{#mykey}}]"/>
The third one obviously does not work because of the nesting problem.
But the same nesting logic is applicable to the second case as well, due to the manner the value attribute is handled. However none seem to work for me.
The issue here is that my key is unknown. It is a dynamically generated string based upon some pattern. I need to access the object stored in the hashmap using this dynamic key. And due to the inability of nesting ognl, I am in a fix.
I suppose the issue is very simple. I almost feel that I get it, but somehow the solution eludes me.
I suppose I was using a different version of struts wherein using the %{} was required for the expression to be evaluated. I changed the jar files now.
This is what did the job for me:
<s:property value="#mymap.[#mykey2]"/>
My problem was coming because I was trying to use it in a href for a s:a tag. And without the %{} operator, the expression was not being evaluated.
So, i guess, i was right in the beginning itself. Rest of the time, it was just me being silly. :>
Update:
I wrote a blog post on the issue, in case anyone is interested.
http://mycodefixes.blogspot.com/2010/11/struts-2-creating-and-accessing-maps.html