When to encode as HTML in Grails

Question

I often see Grails sample code where the programmer has called a method called encodeAsHTML(). I figure I should probably use this in my Grails applications (for security reasons, I assume?), but I was wondering when I should use this method. What objects/properties/etc. are candidates for the encodeAsHTML() method?

Thank you!

Answer 1

Use encodeAsHTML() (or encodeAsJavaScript, etc) for everything that you've got from user. For every string that could be modified by user (got from input form, from request parameter, from external API call, etc)

See also:

• https://en.wikipedia.org/wiki/Cross-site_scripting
• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Answer 2

I am not sure when this was introduced to Grails, but if in Config.groovy you set grails.views.default.codec="html" then encodeAsHTML() is called whenever you use ${} in GSPs.

Source: http://alwaysthecritic.typepad.com/atc/2010/06/grails-gsp-html-escaping-confusion.html