Tag Archive for 'MonoRail'

MonoRail – RenderMailMessage – System.ArgumentNullException: Value cannot be null. Parameter name: format

This was a nasty issue…

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ArgumentNullException: 
Value cannot be null.
Parameter name: format
   at System.String.Format(IFormatProvider provider, String format, Object[] args)
   at System.String.Format(String format, Object arg0, Object arg1)
   --- End of inner exception stack trace ---

Background

This is part of the stack trace I got in one of my applications which uses MonoRail. I got it while creating the Castle.Components.Common.EmailSender.Message in order to prepare the content of the email having the name of its template file (vm):

Message msg = RenderMailMessage(templateName)

That view file defined the content and used data from PropertyBag and from Resource files.

Just to recall a resource file (resx) is bound with the controller class with this definition:

[Resource("text", "LocalizationSample.Resources.Home")]

What was wrong there? I was sure templateName passed as the parameter was correct – it for sure pointed to correct vm file. Moreover, that piece of code was defined in a superclass which was extended by this particular controller and another one which also could send this email. Of course there was no problem with sending email by the latter.

Solution

The problem here was I used this construction in the vm file:

$string.format($text.someText, $param1, $param2)

And for some reason I forgot to bind the appropriate resource file (the one referenced with $text) with one of the controllers. As a result string.format failed because $param1 and $param2 couldn’t be injected into string which was not found.

NVelocity and XSS

NVelocity is a view engine for MonoRail. It’s quite handy and it’s not difficult to deliver such views.

One of the flows I can name can be the security issues. By default there’s not much support for security. For instance it’s possible to perform XSS (Cross-site scripting) attacks by providing XHTML or JavaScript code.

I spent some time googleing for existing solutions for that MAJOR issue but I failed to find anything interesting. The most usefult information I’ve found was the article called Cross Site Scripting and letting the framework deal with it. Accordint to its author, Oren Eini, some support for HTML encoding has been implemented for Brail, which is another MonoRail view engine. But… I’m interested in NVelocity, not Brail!

Should you discover anything interesting on that topic, please post a link as a comment for this post. I’d be grateful icon smile NVelocity and XSS

 NVelocity and XSS