Why doesn't grails.views.default.codec default to "html"?

Question

The Grails Config.groovy setting grails.views.default.codec specifies the default codec used to encode data within ${...} in Grails views.

This config setting can take any of the values none (no filtering required), html (to avoid XSS-attacks) and base64 (has no real-world use-case that I know of).

The Grails default is none (no filtering).

Questions:

Are there any compelling technical reasons not to use the safer option "html"?
When do you choose to go with the default option of "none" in your Grails projects?

score 1 · Accepted Answer · edited May 23 '17 at 12:19

1

A question on similar topic here.. I don't claim big expertise on this, but I imagine. Why it's not html by default is strange to me. I found GRAILS-2945, where this was proposed but ultimately rejected, without too much explanation. There is also some more information in GRAILS-1827, when the issue was first implemented.

edited May 23 '17 at 12:19

Community

1
1

answered Nov 17 '09 at 18:41

Jean Barmash

4,788
1
32
40

Why doesn't grails.views.default.codec default to "html"?

1 Answers1