One way to deal with that in a GSP is to encode the description property using the dynamic encode method as shown below:. A preferred way to use codecs is to use the codecLookup bean to get hold of Encoder and Decoder instances. This codec performs XML escaping and unescaping. Encodes byte arrays or lists of integers to lowercase hexadecimal strings, and can decode hexadecimal strings into byte arrays.
For example:. Uses the MD5 algorithm to digest byte arrays or lists of integers, or the bytes of a string in default system encoding , as a lowercase hexadecimal string. Example of usage:. Uses the MD5 algorithm to digest byte arrays or lists of integers, or the bytes of a string in default system encoding , as a byte array.
Uses the SHA1 algorithm to digest byte arrays or lists of integers, or the bytes of a string in default system encoding , as a lowercase hexadecimal string. Uses the SHA1 algorithm to digest byte arrays or lists of integers, or the bytes of a string in default system encoding , as a byte array.
Uses the SHA algorithm to digest byte arrays or lists of integers, or the bytes of a string in default system encoding , as a lowercase hexadecimal string.
Uses the SHA algorithm to digest byte arrays or lists of integers, or the bytes of a string in default system encoding , as a byte array. Applications may define their own codecs and Grails will load them along with the standard codecs. The codec may contain a static encode closure, a static decode closure or both. The closure must accept a single argument which will be the object that the dynamic method was invoked on.
For Example:. Grails has no default mechanism for authentication as it is possible to implement authentication in many different ways.
It is however, easy to implement a simple authentication mechanism using interceptors. Interceptors let you apply authentication across all controllers or across a URI space. Here the interceptor intercepts execution before all actions except login are executed, and if there is no user in the session then redirect to the login action.
If you need more advanced functionality beyond simple authentication such as authorization, roles etc. The Spring Security plugins are built on the Spring Security project which provides a flexible, extensible framework for building all sorts of authentication and authorization schemes. The plugins are modular so you can install just the functionality that you need for your application. The Spring Security plugins are the official security plugins for Grails and are actively maintained and supported.
See the Core plugin page for basic information and the user guide for detailed information. Table of contents 1 Introduction. Table of Contents Improve this doc. What Grails Automatically Does Grails has a few built in safety mechanisms by default.
SQL injection Hibernate, which is the technology underlying GORM domain classes, automatically escapes data when committing to database so this is not an issue. Phishing This really a public relations issue in terms of avoiding hijacking of your branding and a declared communication policy with your customers. XSS - cross-site scripting injection It is important that your application verifies as much as possible that incoming requests were originated from your application and not from another site.
Cross-site request forgery CSRF involves unauthorized commands being transmitted from a user that a website trusts. Denial of service Load balancers and other appliances are more likely to be useful here, but there are also issues relating to excessive queries for example where a link is created by an attacker to set the maximum value of a result set so that a query could exceed the memory limits of the server or slow the system down. You must assume that every unprotected URL is publicly accessible one way or another.
XSS prevention is hard and requires a lot of developer attention. Although Grails plays it safe by default, that is no guarantee that your application will be invulnerable to an XSS-style attack. Such an attack is less likely to succeed than would otherwise be the case, but developers should always be conscious of potential attack vectors and attempt to uncover vulnerabilities in the application during testing.
Configuration It is recommended that you review the configuration of a newly created Grails application to garner an understanding of XSS prevention works in Grails. The default for newly created applications is html encoding taglib - Used to encode output from GSP tag libraries. Double Encoding Prevention Versions of Grails prior to 2. The 'raw' method is available in tag libraries, controllers and GSP pages. Learn more. How to read xml file in grails? Ask Question. Asked 10 years, 8 months ago.
Active 9 years, 9 months ago. Viewed 6k times. Improve this question. Rikki 1, 14 14 silver badges 17 17 bronze badges. Supriya Supriya 1 1 gold badge 8 8 silver badges 18 18 bronze badges. Add a comment. Active Oldest Votes. Improve this answer. Here is a quick sample. If my-file. Do not do this. Use named or positional parameters instead to pass in parameters:. This really a public relations issue in terms of avoiding hijacking of your branding and a declared communication policy with your customers.
Customers need to know how to identify valid emails. It is important that your application verifies as much as possible that incoming requests were originated from your application and not from another site.
It is also important to ensure that all data values rendered into views are escaped correctly. Grails 2. You must also avoid the use of request parameters or data fields for determining the next URL to redirect the user to. If you use a successURL parameter for example to determine where to redirect a user to after a successful login, attackers can imitate your login procedure using your own site, and then redirect the user back to their own site once logged in, potentially allowing JavaScript code to then exploit the logged-in account on the site.
CSRF involves unauthorized commands being transmitted from a user that a website trusts. A typical example would be another website embedding a link to perform an action on your website if the user is still authenticated.
The best way to decrease risk against these types of attacks is to use the useToken attribute on your forms. See Handling Duplicate Form Submissions for more information on how to use it. An additional measure would be to not use remember-me cookies. This is where bad data is supplied such that when it is later used to create a link in a page, clicking it will not cause the expected behaviour, and may redirect to another site or alter request parameters.
If you create your own tags that generate URLs you will need to be mindful of doing this too. Load balancers and other appliances are more likely to be useful here, but there are also issues relating to excessive queries for example where a link is created by an attacker to set the maximum value of a result set so that a query could exceed the memory limits of the server or slow the system down.
The solution here is to always sanitize request parameters before passing them to dynamic finders or other GORM query methods:. Especially in the case of GORM these are easily guessable as they are typically sequential integers. Therefore you must assert that the requesting user is allowed to view the object with the requested id before returning the response to the user.
Not doing this is "security through obscurity" which is inevitably breached, just like having a default password of "letmein" and so on. They typically involve submitting HTML or Javascript code in a form such that when that code is displayed, the browser does something nasty. It could be as simple as popping up an alert box, or it could be much worse like for example one could access other users session cookies.
All the standard GSP tags are also safe by default, escaping any relevant attribute values. So what happens when you want to stop Grails from escaping some content?
There are valid use cases for putting HTML into the database and rendering it as-is, as long as that content is trusted. In such cases, you can tell Grails that the content is safe as should be rendered raw, i.
The raw method you see here is available from controllers, tag libraries and GSP pages. Grails codecs are mainly for preventing stored and reflected XSS type of attacks.
It is recommended that you review the configuration of a newly created Grails application to garner an understanding of XSS prevention works in Grails. When you tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden. This can be configured in the application. The default configuration found in application.
GSP features several codecs that it uses when writing the page to the response. The codecs are configured in the codecs block and are described below:. The default for newly created application is html encoding. The default for newly created applications is html encoding.
The default is none for new applications, as typically it is the responsibility of the tag author to define the encoding of a given tag and by specifying none Grails remains backwards compatible with older tag libraries. The default is none. Versions of Grails prior to 2. Grails also features the ability to control the codecs used on a per plugin basis.
For example if you have a plugin named foo installed, then placing the following configuration in your application.
0コメント