Codecs in Grails

In this blog I want to bring some light on the topic of codecs in grails.Before starting this I just went through CAN I PWN YOUR GRAILS APPLICATION? which covers a great discussion on why codecs are important and essential to use.

Before starting I also want to go through some brief introduction of its need.When I heard about it my first question was : What is the need for a codec in grails application?

It is used as a solution for one of the problem known as XSS Cross Site Scripting.

Now what is XSS ?

User data supplied via web forms, API request or URL query parameters can changed by any user. If user tries to inject client-side script into this data and your application do not have proper security for handling this then you might be in a risk.

For example, let say you have a form for submitting user details on one page and a different page for showing all list of users. Assume that an attacker comes to the user registration page and submits some javascript code in user details.After saving user details, the javascript code is going to execute on list of users page.

This was very small example of this problem.

Now codecs provides a solution for this.What we can do is : encode data in html (using HtmlUtils ) and then render that data on view. That will make all your XSS problems fixed.

Other good examples of how to encode your data safely you can go through all examples in CAN I PWN YOUR GRAILS APPLICATION?

This is one of the advantage of using codecs in your application.There might be a situation where you explicitly want to encode / decode your data on view or in any other logical implementation.

I can show you a simple example of encoder/decoder in grails

class HTMLCodec {
   static encode = { theTarget ->
       HtmlUtils.htmlEscape(theTarget.toString())
   }
   static decode = { theTarget ->
       HtmlUtils.htmlUnescape(theTarget.toString())
   }
}
assert "&lt;p&gt;Hello World!&lt;/p&gt;" == "<p>Hello World!</p>".encodeAsHTML()
assert "<p>Hello World!</p>" == "&lt;p&gt;Hello World!&lt;/p&gt;".decodeHTML()

Grails provide various encoders and decoders in grails by default.

The general feature usage for codecs are:

encodeAsXXX()

decodeXXX()

value of XXX can be :

HTML

JavaScript

Raw

URL

Base64

Hex

MD5

MD5Bytes

SHA256

SHA256Bytes

NOTE:

By default , ${ }  encodes the content to html in gsp.

By default , ${ }  encodes the content to JavaScript in js code of gsp.

The default configuration is done in config.groovy file

codecs {
       expression = 'html' // escapes values inside ${}
       scriptlet = 'html' // escapes output from scriptlets in GSPs
       taglib = 'none' // escapes output from taglibs
       staticparts = 'raw' // escapes output from static template parts
   }
 

There might be a situation where you do not want to escape data on gsp either in html or javascript then you can go for using these tags:

${ raw(content) }
${ content.encodeAsRaw() }
<g:encodeAs codec="Raw">${content}</g:encodeAs>
 

These tags can be used in gsp or in script tag in gsp.I can show you a small code snippet in gsp and script tag in gsp.

<g:set var="htmlData"><strong>hello world</strong></g:set>
<g:set var="jsData">$('#myDiv').html('hello world');</g:set>

${htmlData}
${htmlData.encodeAsRaw()}

<script type="text/javascript">
  ${jsData}
  ${jsData.encodeAsRaw()}
</script>

#output on browser:
<strong>hello world</strong>
hello world

#output in browser console:
$(&#39;#myDiv&#39;).html(&#39;hello world&#39;);
$('#myDiv').html('hello world');

<%@page defaultCodec="none" %>
 

To explicitly define encoding for any tag you can use like this :

var s = ${g.createLink(...., encodeAs:'JavaScript')}
 

Double Encoding Problem:

Grails 2.3 includes double encoding prevention so that when an expression is evaluated, it will not encode if the data has already been encoded (Example ${foo.encodeAsHTML()}).

Per Tag library Encoding :

static defaultEncodeAs = 'html'
 

Encoding can also be specified on a per tag basis using encodeAsForTags:

static encodeAsForTags = [tagName: 'raw']
 

To get more information on grails codecs you can follow default grails codecs .

Thanks

Akash Sharma