[英]New grails 2.3.7 app is ignoring <%= %>
I am writing a new grails 2.3.7 app and I'm trying to use <%= %> to avoid html encoding a domain class field. 我正在编写一个新的grails 2.3.7应用程序,并且试图使用<%=%>来避免html对域类字段进行编码。
For some reason grails is ignoring this and encoding the thing anyway. 由于某种原因,grails忽略了这一点,无论如何都对其进行编码。
As an example 举个例子
<%="<h2>FOO</h2>"%>
Just renders as 只是渲染为
<h2>FOO</h2>
and not as a level 2 header as expected. 而不是预期的2级标头。
This is not a bug but in fact Grails' automatic XSS attack prevention. 这不是错误,而是事实上Grails的自动XSS攻击防御功能。 See http://grails.org/doc/latest/guide/security.html#xssPrevention
请参阅http://grails.org/doc/latest/guide/security.html#xssPrevention
What you want to do it mark the output as raw: 您要执行的操作将输出标记为原始:
<%=raw("<h2>FOO</h2>")%>
However, note that this should be done with extreme care as you may put your application at risk of XSS attacks. 但是,请注意,应格外小心,因为您可能会使应用程序面临XSS攻击的风险。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.