stackoom
  简体   繁体   中英

New grails 2.3.7 app is ignoring <%= %>

 原文  2014-06-12 14:26:29       html/ grails/ escaping

Question

I am writing a new grails 2.3.7 app and I'm trying to use <%= %> to avoid html encoding a domain class field.

For some reason grails is ignoring this and encoding the thing anyway.

As an example 

<%="<h2>FOO</h2>"%>

Just renders as 

<h2>FOO</h2>

and not as a level 2 header as expected.

1 answers

solution1
 1  2014-06-13 09:38:14

This is not a bug but in fact Grails' automatic XSS attack prevention. See http://grails.org/doc/latest/guide/security.html#xssPrevention

What you want to do it mark the output as raw: 

<%=raw("<h2>FOO</h2>")%>

However, note that this should be done with extreme care as you may put your application at risk of XSS attacks.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Grails 2.3.7 redirecting controller action with flash.message, i18n and html markup Why the browser is ignoring new empty lines inside the textarea in HTML? Chrome extension seems to be ignoring javascript to launch a new url make an html page with unique css/ ignoring most the universal app css Email coding : Gmail and Gmail app seems to be ignoring my CSS How to get the gsp file stored under grails-app/views/teamplates directory and modify it in Grails How to check in JS if user selected a file in file input on Android 2.3.7 Simple question - searching for text in between <td> and </td> tags ignoring new lines random picture script for new app Reactivating to new page - Windows 8 app
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM