This post has NOT been accepted by the mailing list yet.
Hi there Grails community,
since my webapp usually does not allow user input in form of HTML at all, I want to have an reusable solutions, that:
1. Copies params to originalparams. Removes any HTML markup from params afterwards.
2. Set's up a property hasReplacements that is true if any replacement was needed and false otherwise
3. Injects originalparams and hasReplacements into every controller class that does not define a boolean cleanParams = false attribute
Maybe it could also be useful to have something like static [clean only : <attribute list>] and [clean except: <attribute list>]. This would make the originalparams object dispensable.
Any idea how I can accomplish this? My target is to have a very strict default approach to prevent XSS and stray from it only, when collecting true HTML input is necessary.