Grails - best practice for avoiding XSS in flash.message?

Question

So the default controllers generated for you in Grails will return a message to the user letting them know something was inserted/edited succesfully. By default the return the id of the thing inserted, domainClassInstance.id at the end of the following line

flash.message = "${message(
    code: 'default.updated.message', 
    args: [
      message(code: 'domainclass.label', default: ''), 
      domainClassInstance.id
    ])}"

An obvious improvement to make in your actual app is to change this for the title/name of the object in question, ie:

flash.message = "${message(
     code: 'default.updated.message', 
     args: [
       message(code: 'domainClass.label', default: ''), 
       domainClassInstance.name
     ])}"

This however introduces an XSS vulnerability as the 'name' field is output directly as the message. Is there a catch all fool proof way to recomend people create their messages to avoid this or do I need to make sure people always tag an .encodeAsHTML() onto the name parameter? which seems a little prone to cockup to me.

Thanks, Robin

Answer 1

• Add encodeAs="HTML" attribute to message parameters.
• BTW you can use flash.args and flash.default.