I'm working in a grails application that is using default encoding of html for all gsp pages:
grails {
views {
gsp {
encoding = 'UTF-8'
codecs {
expression = 'html'
scriptlet = 'html'
taglib = 'none'
staticparts = 'none'
}
}
}
}
This is great and removes XSS vulnerabilities from the vast majority of the application, but some plugins in the application include HTML in grails variables which are rendered on the GSPs in the plugins. Without modifying the plugin, I can't add the raw() method around the variables I don't want to encode.
I've looked through the grails docs and may just be looking in the wrong place, but I couldn't find an answer...
Is there a way to exclude a plugin from the gsp codecs? Or even a specific controller/view?
So I finally had time to revisit this and do some more research. Eventually stumbled across a discussion on github (https://github.com/grails/grails-core/wiki/Default-Codecs).
A section about Per Plugin encoding reads as follows:
"
Grails also features the ability to control the codecs used on a per plugin basis. For example if you have a plugin named foo installed, then placing the following configuration in your application's Config.groovy will disabling encoding for only the foo plugin
foo.grails.views.gsp.codecs.expression = "none"
"
Side note in rare circumstances:
I ran into additional problems with reserved words in the Config file. We were using a plugin called 'custom-user-interface' and attempting to reference it in the same way"
custom-user-interface.grails.views.gsp.codecs.expression = "none"
failed to compile because grails tried to treat "interface" as though it meant something. Attempting to place this in a string
'custom-user-interface'.grails.views.gsp.codecs.expression = "none"
also failed to compile with the error "no property 'grails' for String"
Eventually I was able to escape it and use bracket notation to successfully force the plugin to behave the way I wanted:
custom-'user-interface' {
grails.views.gsp.codecs.expression = 'none'
}
