Build Your HTML

When you generate HTML, use MarkupBuilder for security purposes. MarkupBuilder encodes any malicious tags an editor might try to insert. Additionally, the tool ensures that the output of HTML is well-formed. For example, it checks for open tags, which would break the formatting of your page.

MarkupBuilder should be used instead of returning HTML strings whenever possible.

Sanitize Your HTML

If you need to create custom HTML from strings, parse the input HTML and filter it through a list of safe tags and attributes. This can be done using the Jsoup clean() method.

import org.jsoup.Jsoup
import org.jsoup.safety.Whitelist

def potentiallyUnsafeHtml = "<p>${parameters.userInput}</p>" //a malicious user could put HTML in the userInput parameter
def cleanHtml = Jsoup.clean(unsanitizedHtml, Whitelist.simpleText()) //This will clean out any potentially malicious HTML, while still allowing basic formatting tags
return cleanHtml

See the Jsoup Whitelist API documentation for more details on different whitelisting options.