How can I exclude the plugin from the default grails gsp encoding?
I am working in a grails app that uses the default html encoding for all gsp pages:
grails {
views {
gsp {
encoding = 'UTF-8'
codecs {
expression = 'html'
scriptlet = 'html'
taglib = 'none'
staticparts = 'none'
}
}
}
}
This is great and removes XSS vulnerabilities from the vast majority of applications, but some plugins in the application include HTML in grails that are displayed in the GSP in the plugins. Without modifying the plugin, I cannot add a raw () method around the variables I don't want to code.
I went through the grails docs and may just be looking in the wrong place, but I couldn't find the answer ...
Is there a way to exclude a plugin from gsp codecs? Or even a specific controller / view?
source to share
So I finally had time to get back to this and do some more research. Eventually came across a github discussion ( https://github.com/grails/grails-core/wiki/Default-Codecs ).
The section on Per Plugin is coded as follows:
"Grails also has the ability to control the codecs used for each plugin. For example, if you have a plugin named foo, then put the following configuration in your application. Config.groovy will only disable encoding for plugin foo.
foo.grails.views.gsp.codecs.expression = "none"
"
Side note in rare cases:
I am having problems with reserved words in my Config file. We used a plugin called "user interface" and tried to reference it the same way "
custom-user-interface.grails.views.gsp.codecs.expression = "none"
failed to compile because grails was trying to render the "interface" as if it meant something. Trying to put this on a string
'custom-user-interface'.grails.views.gsp.codecs.expression = "none"
also failed to compile with error "no property" grails' for String "
In the end I managed to escape from it and use parenthesis conventions to successfully get the plugin to behave the way I wanted:
custom-'user-interface' {
grails.views.gsp.codecs.expression = 'none'
}
source to share