Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
fixed the xss issue in layoutTitle #244
added a commit
this pull request
Jul 31, 2012
@marcpalmer Yes, there's certainly the possibility of double encoding. I didn't realize double encoding would be a breaking change though. I thought this would be good to fix as it's potentially something that could be easily missed by users. If it's a big problem to possibly double encode, then obviously it should be removed. Please let me know.
@pledbrook Right, default html encoding would be the best, but given previous discussions, it was decided that the default setting in config.groovy won't be changed until at least 3.0. I was thinking that we probably don't want there to be a potential xss vulnerability by default until then (most users probably have no idea they need to encode the title). Please let me know.
@bobbywarner The problem is if the user sets the default codec to "html" (which is probably recommended) and then has something like
For example, if we change