Home When do I need to encode with multiple codecs in Grails?
Reply: 1

When do I need to encode with multiple codecs in Grails?

sync Published in 2018-01-09 23:51:54Z

I'm not clear of when (or if) I should use multiple Grails encodeAsXXX calls.

This reference says you need to encodeAsURL and then encodeAsJavaScript: http://grailsrocks.com/blog/2013/4/19/can-i-pwn-your-grails-application

It also says you need to encodeAsURL and then encodeAsHTML, I don't understand why this is necessary in the case shown but not all the time?

Are there other cases I should me using multiple chained encoders?

If I'm rendering a URL to a HTML attribute should I encodeAsURL then encodeAsHTML?

If I'm rendering a URL to a JavaScript variable sent as part of a HTML document (via a SCRIPT element) should I encodeAsURL, encodeAsJavaScript then encodeAsHTML?

If I'm rendering a string to a JavaScript variable sent as part of a HTML document should I encodeAsJavaScript then encodeAsHTML?

The official docs - https://docs.grails.org/latest/guide/security.html - don't show any examples of multiple chained encoders.

I can't see how I can understand what to do here except by finding the source for all the encoders and looking at what they encode and what's valid on the receiving end - but I figure it shouldn't be that hard for a developer and there is probably something simple I'm missing or some instructions I haven't found.

FWIW, I think the encoders I'm talking about are these ones:



https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/util/HtmlUtils.html#htmlEscape-java.lang.String- .

Peter Reply to 2018-01-12 18:26:39Z

It is certainly important to always consider XSS but in reading your question I think you are overestimating what you need to do. As long as you're using Grails 2.3 or higher and your grails.views.default.codec is set to html which it will be by default, everything rendered in your GSP with ${} will be escaped properly for you.

It is only when you are intentionally bypassing the escaping, such as if you need to get sanitized user input back into valid JavaScript within your GSP for some reason, that you would need to use the encodeAsXXX methods or similar.

I would argue (and the article makes a mention of this as well) that this should raise a smell anyway, as you probably should have that JavaScript encapsulated in a different file or TagLib where the escaping is handled.

Bottom line, use the encoding methods only if you are overriding the default HTML encoding, otherwise ${} handles it for you.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.312249 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO