I've renamed the issue http://jira.grails.org/browse/GRAILS-7170
to "XSS vulnerability: g:message doesn't escape message arguments"
(the original title was too broad).
I believe the fix for that problem should be backported to all
actively maintained Grails versions.
As an answer to your question about backporting fixes, we
currently don't have plans to backport the new XSS prevention
as a whole since it's a major change. Technically it's possible of
I have also added a new jira issue:
"XSS prevention solution: Force all output to be "html safe" a
bit like Rail3 SafeBuffer does".
That has been on my todo list for Grails 2.3 and that's one of the
reasons I've ended up with the current architectural solution.
"Secure by default" is one of the goals of the new XSS prevention
solution in Grails 2.3:
Out of the box, apps and plugins
should be immune to such XSS attacks, unless the developers
explicitly take action to change the default behaviour.
Grails is an open source project and I hope more developers could
get involved in grails-core development. Let's make it easier to
write safe webapps with Grails!
Your feedback and contributions are welcome!
05.04.2013 11:17, Alex Anderson wrote:
Interesting. Are fixes for things like this backported, or only
available in new releases?
On 5 April 2013 00:19, Andrew Todd [hidden email] wrote: