Security and Best Practices
Build Your HTML
When you generate HTML, use MarkupBuilder for security purposes. MarkupBuilder encodes any malicious tags an editor might try to insert. Additionally, the tool ensures that the output of HTML is well-formed. For example, it checks for open tags, which would break the formatting of your page.
MarkupBuilder should be used instead of returning HTML strings whenever possible.
Sanitize Your HTML
If you need to create custom HTML from strings, parse the input HTML and filter it through a list of safe tags and attributes. This can be done using the Jsoup clean()
method.
import org.jsoup.Jsoup import org.jsoup.safety.Safelist def potentiallyUnsafeHtml = "<p>${parameters.userInput}</p>" //a malicious user could put HTML in the userInput parameter def cleanHtml = Jsoup.clean(potentiallyUnsafeHtml, Safelist.simpleText()) //This will clean out any potentially malicious HTML, while still allowing basic formatting tags cleanHtml
See the Jsoup Whitelist API documentation for more details on different whitelisting options.