Grails 2.0: Change default-codec to ‘html’ ?

Hello,

I would suggest a small change which makes many of the the (new)
Grails Projects out there much more safe:

grails.views.default.codec = "html"
should be the default if new projects are generated.

I saw so many projects in my Grails consulting that didn’t change this (because they did not know or just forgot it). To change this afterwards is a pain and leads to increased effort.

For 99% of all Grails applications there shouldn't be a problem with a default codec of "html".
Please check:
http://www.mosbase.com/2011/08/grails-security-xss-prevention-using.html

Cheers,
Mos
---
http://www.mosbase.com/

On 1 Aug 2011, at 10:25, Stephane Maldini wrote:

> I agree it would be important to make this move, like Rails 3. We still have <%= %> for raw unencoded things but I don't find it very cool looking syntax, perhaps something like ${raw expr} would be better.
>
> On Mon, Aug 1, 2011 at 11:18 AM, Mos <[hidden email]> wrote:
> Hello,
>
> I would suggest a small change which makes many of the the (new)
> Grails Projects out there much more safe:
>
> grails.views.default.codec = "html"
> should be the default if new projects are generated.
>
> I saw so many projects in my Grails consulting that didn’t change this (because they did not know or just forgot it). To change this afterwards is a pain and leads to increased effort.
>
> For 99% of all Grails applications there shouldn't be a problem with a default codec of "html".
> Please check:
> http://www.mosbase.com/2011/08/grails-security-xss-prevention-using.html

Hi all,

I agree that we need to be safer out of the box, but in my experience the default codec (as it stands) is not the solution.

There needs to be a more detailed review of the problem because as Stéphane said, its too easy to bypass default codec - and we've seen people use <%= specifically for that case.

The other reason is that default codec is a complete anti-pattern for plugins. Having the app able to change the default codec at will means that all plugins have to assume nothing about default codec and ALWAYS override default codec themselves in every GSP.

This is pretty lame.

Marc
~ ~ ~
Marc Palmer
Freelancer (Grails/Groovy/Java)

Founder @ http://noticelocal.com | Developer @ http://weceem.org
Member @ http://spottymushroom.com | Contributor @ http://grails.org
Twitter: http://twitter.com/wangjammer5 | Resumé: http://www.anyware.co.uk/marc/
Blog: http://www.anyware.co.uk | Grails Rocks: http://www.grailsrocks.com


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email

> Setting default codec to html on new projects will break an awful lot of plugins for people out of the box. This doesn't mean it is not a valid approach, but it has a high cost associated currently.

Grails 2.0 gives us an opportunity to introduce this change and get
plugin authors updating their GSP pages to use the defaultEncoding
page directive. It's not a perfect solution, but I think making pages
safer by default is worthwhile. And most existing applications will
have the default encoding as "none", so it wouldn't be a breaking
change for existing apps.

> We've had a lot of discussions about this, and evolved thinking, forgotten, and re-remembered and forgotten again :)

Indeed.

> * Add "encodeAs" or "codec" attribute to the GSP tag mechanism, so it is automatically applied to any and all tags with no effort from the tag author.  We already have encodeAs support on a few tags, but it is explicitly added. Example:
> <script …>
>    var url = "${g.createLink(controller:'book', encodeAs:'JavaScript')";
> </script>

The question is whether this should be 'additive'. In other words, the
URL should probably be URL encoded and then encoded as JavaScript.
That's additive. But perhaps there are examples where you want to
override the default encoding of a tag?

Anyway, I don't think we're that far away from a solution, but I can't
see all the above being introduced for Grails 2.0. So I still think
changing the default and encouraging plugin developers to update their
plugins is the best thing to do right now.

Peter

PS What's the best channel for communicating such changes to plugin
authors? Dev mailing list with a [FAO: Plugin authors]? Something
else?

--
Peter Ledbrook
Grails Advocate
SpringSource - A Division of VMware

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email

> +1, to change the default in the upcoming Grails 2.0 M2.
>
> I don't understand the problem with existing plugins. I think most plugins
> don't have to change anything.
> Even today they work regardless of the default encoding.  Some applications
> use 'none' today, others change
> it to 'html', and all of them using the same plugins today.

If a plugin provides GSPs with explicit calls to encodeAsHTML(), those
pages will have double-encoded content. That's a significant problem.
How many plugins would be affected? Don't know. But it would be
another source of user frustration.

Peter

--

Peter Ledbrook
Grails Advocate
SpringSource - A Division of VMware

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email

> If a plugin provides GSPs with explicit calls to encodeAsHTML(), those
> pages will have double-encoded content. That's a significant problem.
> How many plugins would be affected? Don't know. But it would be
> another source of user frustration

Right, but that's the same situation as today with Grails 1.x. Isn't it?
People that switch the default to 'html' would also have double-encoded content, today.
(And I assume and hope that many people use the 'html'-default even today)

I think not many plugins use encodeAsHTML() today (and if I would consider this
as a bug, because a plugin never knows what the default encoding of the application would be).
Shouldn't we double-check if encodeAsHTML() is used in any plugins today, before discussing a theoretically problem?

Regarding encodeAsHTML() in general I would suggest a "default-checking":  Couldn't the method
just check the default and if it is set to 'html' don't encode a second time?

Cheers,
Mos
---
http://www.mosbase.com/

On Fri, Aug 12, 2011 at 4:20 PM, Peter Ledbrook <[hidden email]> wrote:

> +1, to change the default in the upcoming Grails 2.0 M2.
>
> I don't understand the problem with existing plugins. I think most plugins
> don't have to change anything.
> Even today they work regardless of the default encoding.  Some applications
> use 'none' today, others change
> it to 'html', and all of them using the same plugins today.

If a plugin provides GSPs with explicit calls to encodeAsHTML(), those
pages will have double-encoded content. That's a significant problem.
How many plugins would be affected? Don't know. But it would be
another source of user frustration.

Peter

--

Peter Ledbrook
Grails Advocate
SpringSource - A Division of VMware

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email

16.08.2011 11:33, Peter Ledbrook wrote:
>
> encodeAsHTML() has no way of knowing whether a string has already been
> encoded or not. That's one of the problems. We don't keep track during
> request processing of what encoding is currently active.
>
> Also, examples of plugin pages that will break:
>
>     show.gsp from the scaffolding
>     https://github.com/grails-plugins/grails-spring-security-ui/blob/master/grails-app/views/user/create.gsp#L50
>
> Sorry, don't have time to look for others. I'm sure Marc will list a
> bunch of his plugins that use encodeAsHTML(). So it's a real problem
> that we need to be wary of.

btw. Marc has created a Jira issue some time ago which is related to
this discussion:
http://jira.grails.org/browse/GRAILS-7136
I've been thinking of the solution in the back of my head since then,
based on the ideas Marc presented in the jira issue.

Currently the output of gsps and taglibs uses StreamCharBuffer class
extensively.
We could add the tracking of which encoding has been applied to the
StreamCharBuffer class.

encodeAs* (Codec support in Grails) could be made to defer encoding
until the "final merging" and output of the buffer. Each sub-buffer
would have information about which Codec to use when it gets written to
the "final output" (=response).This would prevent "double encoding" and
make it possible to output parts which shouldn't be encoded (like html
content coming from a CMS) at all. It's also possible to improve /
optimize performance in this kind of solution. It would be optimal if
Codec's had some kind of streaming interface (java.io.Writer?) to be
able to apply the codec when it's written to the underlying Writer
(without doing extra string conversions).

I don't think this is a hard problem to solve since StreamCharBuffer is
already used in taglib & gsp output. It's just about extending
StreamCharBuffer's features.

Regards,

Lari

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email

>> Regarding encodeAsHTML() in general I would suggest a "default-checking":
>> Couldn't the method
>> just check the default and if it is set to 'html' don't encode a second
>> time?
>
> Addition:  This should only apply if encodeAsHTML() is used in GSPs ${...}
> expressions.
>   I don't know if this method could check for this context?

encodeAsHTML() has no way of knowing whether a string has already been
encoded or not. That's one of the problems. We don't keep track during
request processing of what encoding is currently active.

Also, examples of plugin pages that will break:

   show.gsp from the scaffolding
   https://github.com/grails-plugins/grails-spring-security-ui/blob/master/grails-app/views/user/create.gsp#L50

Sorry, don't have time to look for others. I'm sure Marc will list a
bunch of his plugins that use encodeAsHTML(). So it's a real problem
that we need to be wary of.

Peter

--
Peter Ledbrook
Grails Advocate
SpringSource - A Division of VMware

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email

> Setting default codec to html on new projects will break an awful lot of plugins for people out of the box. This doesn't mean it is not a valid approach, but it has a high cost associated currently.

Grails 2.0 gives us an opportunity to introduce this change and get
plugin authors updating their GSP pages to use the defaultEncoding
page directive. It's not a perfect solution, but I think making pages
safer by default is worthwhile. And most existing applications will
have the default encoding as "none", so it wouldn't be a breaking
change for existing apps.

> We've had a lot of discussions about this, and evolved thinking, forgotten, and re-remembered and forgotten again :)

Indeed.

> * Add "encodeAs" or "codec" attribute to the GSP tag mechanism, so it is automatically applied to any and all tags with no effort from the tag author.  We already have encodeAs support on a few tags, but it is explicitly added. Example:
> <script …>
>    var url = "${g.createLink(controller:'book', encodeAs:'JavaScript')";
> </script>

The question is whether this should be 'additive'. In other words, the
URL should probably be URL encoded and then encoded as JavaScript.
That's additive. But perhaps there are examples where you want to
override the default encoding of a tag?

Anyway, I don't think we're that far away from a solution, but I can't
see all the above being introduced for Grails 2.0. So I still think
changing the default and encouraging plugin developers to update their
plugins is the best thing to do right now.

Peter

PS What's the best channel for communicating such changes to plugin
authors? Dev mailing list with a [FAO: Plugin authors]? Something
else?

--
Peter Ledbrook
Grails Advocate
SpringSource - A Division of VMware

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email