When to encode as HTML in Grails
Solution 1
Use encodeAsHTML()
(or encodeAsJavaScript
, etc) for everything that you've got from user. For every string that could be modified by user (got from input form, from request parameter, from external API call, etc)
See also:
- https://en.wikipedia.org/wiki/Cross-site_scripting
- https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
- https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Solution 2
I am not sure when this was introduced to Grails, but if in Config.groovy
you set grails.views.default.codec="html"
then encodeAsHTML()
is called whenever you use ${}
in GSPs.
Source: http://alwaysthecritic.typepad.com/atc/2010/06/grails-gsp-html-escaping-confusion.html
grantmcconnaughey
Wisconsin-based software developer specializing in Python, Django, AWS, and Vue.js.
Updated on July 21, 2022Comments
-
grantmcconnaughey almost 2 years
I often see Grails sample code where the programmer has called a method called
encodeAsHTML()
. I figure I should probably use this in my Grails applications (for security reasons, I assume?), but I was wondering when I should use this method. What objects/properties/etc. are candidates for theencodeAsHTML()
method?Thank you!