When to encode as HTML in Grails
Solution 1
Use encodeAsHTML() (or encodeAsJavaScript, etc) for everything that you've got from user. For every string that could be modified by user (got from input form, from request parameter, from external API call, etc)
See also:
- https://en.wikipedia.org/wiki/Cross-site_scripting
- https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
- https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Solution 2
I am not sure when this was introduced to Grails, but if in Config.groovy you set grails.views.default.codec="html" then encodeAsHTML() is called whenever you use ${} in GSPs.
Source: http://alwaysthecritic.typepad.com/atc/2010/06/grails-gsp-html-escaping-confusion.html
grantmcconnaughey
Wisconsin-based software developer specializing in Python, Django, AWS, and Vue.js.
Updated on July 21, 2022Comments
-
grantmcconnaughey almost 2 years
I often see Grails sample code where the programmer has called a method called
encodeAsHTML(). I figure I should probably use this in my Grails applications (for security reasons, I assume?), but I was wondering when I should use this method. What objects/properties/etc. are candidates for theencodeAsHTML()method?Thank you!