-
-
Notifications
You must be signed in to change notification settings - Fork 953
Default Codecs
A default codec of HTML for GSPs is useful to protect applications from Cross Site Scripting (XSS) attacks. The trouble is, the default codec applies to all GSPs, including those provided by plugins. Since it's the application developer that controls the settings, how does a plugin know whether to encode a value as HTML or not? What if a value should be encoded as Javascript rather than HTML?
You can currently override the default codec for a GSP through a defaultCodec page directive, but finer-grained control would be nice.
The problems can be expressed as the following:
- Out of the box, apps and plugins should be immune to such XSS attacks, unless the developers explicitly take action to change the default behaviour.
- There is a risk of double-encoding of data when the developer is not aware of encodings already applied.
- Plugins cannot have their pages break because the app developer changes default codec setting. Currently they do.
- Ideally the user should never need to explicitly think about codecs or calling them except in rare situations. Normally we have all the contextual information we need (i.e. inside g:javascript defaulting to HTML codec is pretty stupid)
- Behaviour is inconsistent.
<% ... %>and<%= ... %>do not apply default codec.${g.xxx([:])}does apply codec.<g:xxx/>does not apply codec.
These items work together to create a coherent environment:
- Deprecate the existing global default codec in favour of smart context-sensitive default codecs and explicit page directive
- GSPs always default to HTML codec. The page defaultCodec directive can be used to alter this.
- Add a function/tag to switch the current default codec - effectively pushing and popping a default codec stack. This could take the form of a withCodec(name, Closure) method in tags.
- Use this function/tag in core tags like
<g:javascript>and<r:script>to automatically set an appropriate codec - Add some smarts to throw exception if same codec is applied multiple times (without specifying an override for this behaviour). i.e. attach applied codec names as a Set to the stream char buffers or similar
-
<g:render>and similar tags would need to set default codec to HTML again when including another GSP, pushing whatever was default onto a stack - Change
<% ... %>and<%= ... %>to apply current default codec, as currently this is a little known security hole. Possible breaking change, but are people really using these with pre-escaped HTML right now? - Add support for an optional
encodeAsattribute to all tags automatically, such that the result will be encoded with that codec if specified i.e.var s = ${g.createLink(...., encodeAs:'JavaScript')}
The rationale for the above is the simplicity and removal of confusion:
- All GSPs in app or plugins default to HTML codec unless developer does something to change that using directive/tag
- All outputs of expressions/inline code apply the current default codec
- Tags are responsible for the correct encoding of their output, unless specified in
encodeAs=attribute
Grails provides a number of ways to prevent Cross Site Scripting (XSS) attacks, depending on your level of paranoia. It is recommended that you review the configuration of a newly created Grails application to garner an understanding of XSS prevention works in Grails.
GSP features the ability to automatically HTML encode GSP expressions, and as of Grails 2.3 this is the default configuration. The default configuration (found in Config.groovy) for a newly created Grails application can be seen below:
grails {
views {
gsp {
encoding = 'UTF-8'
htmlcodec = 'xml' // use xml escaping instead of HTML4 escaping
codecs {
expression = 'html' // escapes values inside ${}
scriptlet = 'html' // escapes output from scriptlets in GSPs
taglib = 'none' // escapes output from taglibs
staticparts = 'none' // escapes output from static template parts
}
}
// escapes all not-encoded output at final stage of outputting
filteringCodecForContentType {
//'text/html' = 'html'
}
}
}
GSP features several codecs that it uses when writing the page to the response. The codecs are configured in the codecs block and are described below:
-
expression- The expression code is used to encode any code found within ${..} expressions. The default for newly created application ishtmlencoding. -
scriptlet- Used for output from GSP scriplets (<% %>, <%= %> blocks). The default for newly created applications ishtmlencoding -
taglib- Used to encode output from GSP tag libraries. The default isnonefor new applications, as typically it is the responsibility of the tag author to define the encoding of a given tag and by specifyingnoneGrails remains backwards compatible with older tag libraries. -
staticparts- Used to encode the raw markup output by a GSP page. The default isnone.
The default configuration for new applications is fine for most use cases, and backwards compatible with existing plugins and tag libraries. However, you can also make your application even more secure by configuring Grails to always encode all output at the end of a response. This is done using the filteringCodecForContentType configuration:
// escapes all not-encoded output at final stage of outputting
filteringCodecForContentType {
'text/html' = 'html'
}
Note that, if activated, the staticparts codec typically needs to be set to raw so that static markup is not encoded:
codecs { expression = 'html' // escapes values inside ${} scriptlet = 'html' // escapes output from scriptlets in GSPs taglib = 'none' // escapes output from taglibs staticparts = 'raw' // escapes output from static template parts }