Quantcast
Grails Grails - user

Error with fieldValue tag. Values are not HTML encoded.

classic Classic list List threaded Threaded
4 messages Options
jasenj1
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Error with fieldValue tag. Values are not HTML encoded.

jasenj1
The 2.0.4 documentation for g:fieldValue says, "Once the value is obtained it will be automatically HTML-encoded."

However, I just ran a test where I entered "</script><script>alert("XSS Vulnerable!");</script>" as a field value. The show page displays the value using g:fieldValue. When the page is displayed, the alert pops up!

In Config.groovy I have grails.views.default.codec= "html" to encode values displayed with ${xxx} by default.

Am I perhaps doing something wrong, or is there a bug? Is there an option (undocumented) to force HTML encoding with fieldValue?

- Jasen.
jasenj1
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Error with fieldValue tag. Values are not HTML encoded.

jasenj1
Soo...
In my controller's show method I put:
        println "HTML Encode = ${HTMLCodec.shouldEncode()}"
and the value is "true".

In show.gsp I put:
        ${HTMLCodec.shouldEncode()}
and the value is "false".

I'm confused why HTMLCodec.shouldEncode() has one value in the Controller and another value in the GSP. I'm assuming formatValue (that fieldValue ultimately calls) is using the value active in the GSP context.

In any case, fieldValue is not behaving as described in the docs.

- Jasen.

jasenj1
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Error with fieldValue tag. Values are not HTML encoded.

jasenj1
In reply to this post by jasenj1
I think there's a bug in HTMLCodec.java; see lines 45-47.

if (codecName != null && codecName.toString().equalsIgnoreCase("html")) {
                return false;
 }

So if the codecName is not empty and the codecName IS "html" then return false???

FWIW, the value IS "html"; I cut out the appropriate chunks of code from HTMLCodec and pasted them into my .gsp to check what HTMLCodec  is seeing.

I'll wait for someone to confirm I'm interpreting things properly before filing a bug report.

- Jasen.
jasenj1
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Error with fieldValue tag. Values are not HTML encoded.

jasenj1
In reply to this post by jasenj1
Another reply to my own thread. Here's a little experiment I did:
<ul>
<li><g:fieldValue bean="${beanInstance}" field="name"/></li>
<li>${fieldValue(bean: beanInstance, field: "name")}</li>
<li>${beanInstance.name}</li>
</ul>

In Config.groovy set grails.views.default.codec="none".
The first two values will be HTML encoded and the third one will not.  Expected behavior.

In Config.groovy set grails.views.default.codec="html"
The first value is NOT HTML encoded and the second two are. I believe this is incorrect behavior.

This occurs because the fieldValue closure calls out <<  formatValue(...)

And formatValue (once you get past all the editor and number formatting stuff at the top) calls

return HTMCodec.shouldEncode() ? value.toString().encodeAsHTML() : value

When grails.views.default.codec is set to "html", HTMLCodec.shouldEncode() returns false and the raw value is appended to out.

- Jasen.

Loading...
Powered by Nabble Edit this page