Hi,
This area is problematic in Grails. The fix for this problem is on
the roadmap of Grails 2.1 . (I'm working on it this week.)
Old mailing list thread:
http://grails.1312388.n4.nabble.com/Grails-2-0-Change-default-codec-to-html-td3709223.html
wiki page about the design:
https://github.com/grails/grails-core/wiki/Default-Codecs
Tags are
responsible for the correct encoding of their output, unless
specified in encodeAs= attribute
Jira issue:
http://jira.grails.org/browse/GRAILS-7136
Please report the xss issue you have found.
Regards,
Lari
23.04.2012 12:51, shenie wrote:
Hi,
Is it the convention that tags should encodeAsHtml before rendering anything
passed to it?
i.e. is it the responsibility of the framework user to know which tags is
safe and which ones are not?
<g:someTag value="${variable}"/>
or
<g:someTag value="${variable.encodeAsHtml()}"/>
I'm asking because I came across tag that is vulnerable to xss. I've changed
my code to call encodeAsHtml before passing the value to the tag but I want
to know the convention to see if I should submit a patch.
Cheers,
Andy
--
View this message in context: http://grails.1312388.n4.nabble.com/Tags-and-encodeAsHtml-tp4579961p4579961.html
Sent from the Grails - dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
Locked
