Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

fixed the xss issue in layoutTitle #244

Merged
merged 2 commits into from

4 participants

@bobbywarner
Collaborator

I was trying to figure out how I forgot the ? like everyone was asking, but it makes sense now. No ? needed if I would have put it in the right place, ha! :)

@burtbeckwith burtbeckwith merged commit 6bc7dd8 into from
@marcpalmer

Guys this is a breaking change. People who have encoded it manually in their GSPs because they know the problem will now get broken apps that double encode the titles.

@pledbrook
Collaborator

Also, what happens if a user has GSP defaulting to 'html', which is kind of what we want to head towards anyway?

@bobbywarner
Collaborator

@marcpalmer Yes, there's certainly the possibility of double encoding. I didn't realize double encoding would be a breaking change though. I thought this would be good to fix as it's potentially something that could be easily missed by users. If it's a big problem to possibly double encode, then obviously it should be removed. Please let me know.

@pledbrook Right, default html encoding would be the best, but given previous discussions, it was decided that the default setting in config.groovy won't be changed until at least 3.0. I was thinking that we probably don't want there to be a potential xss vulnerability by default until then (most users probably have no idea they need to encode the title). Please let me know.

@pledbrook
Collaborator

@bobbywarner The problem is if the user sets the default codec to "html" (which is probably recommended) and then has something like <title>${someTitle}</title> in their GSP views. I think this is a problem that needs to be solved holistically with a root & branch overhaul of default codecs. Without it, you end up with inconsistencies and breakages.

For example, if we change <g:layoutTitle>, shouldn't we also change <g:layoutHead> and <g:layoutBody>?

@bobbywarner
Collaborator

Ok, should I send a pull request to revert the change? Please let me know.

@bobbywarner
Collaborator

Change reverted in pull request #246.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jul 31, 2012
  1. @bobbywarner
  2. @bobbywarner
This page is out of date. Refresh to see the latest.
View
2  grails-plugin-gsp/src/main/groovy/org/codehaus/groovy/grails/plugins/web/taglib/RenderTagLib.groovy
@@ -288,7 +288,7 @@ class RenderTagLib implements RequestConstants {
Closure layoutTitle = { attrs ->
String title = page.title
if (!title && attrs.'default') title = attrs.'default'
- if (title) out << title
+ if (title) out << title.encodeAsHTML()
}
/**
Something went wrong with that request. Please try again.