Why is grails.views.default.codec not used by default for "html"?

Question

Why is grails.views.default.codec not used by default for "html"?

Grails Configuration Config.groovy grails.views.default.codecspecifies the default codec used to encode data in ${...}Grails views.

This configuration parameter can take any values none(no filtering is required), html(to avoid XSS attacks) and base64(does not have a real use case, which I know of).

The default value is Grails none(no filtering).

Questions:

Are there any good technical reasons not to use the more secure "html" option?
When do you decide to go with the standard "none" option in your Grails projects?

+3

security grails gsp

knorv Nov 17 '09 at 16:43

source share

1 answer

Jean barmash · Accepted Answer · 2009-11-17T18:41:57+0000

Question on a similar topic here. . I do not claim to have much experience with this, but I think. Why is this not html by default weird for me. I found GRAILS-2945 where it was proposed, but was eventually rejected, without much explanation. There is also additional information in GRAILS-1827 when the problem was first implemented.

Why is grails.views.default.codec not used by default for "html"?

More articles: