如何从Grails默认gsp编码中排除插件? [英] How can I exclude a plugin from grails default gsp encoding?

问题描述

我正在使用grails应用程序，该应用程序对所有gsp页面使用html的默认编码:

I'm working in a grails application that is using default encoding of html for all gsp pages:

grails {
    views {
        gsp {
            encoding = 'UTF-8'
            codecs {
              expression = 'html' 
              scriptlet = 'html'
              taglib = 'none' 
              staticparts = 'none' 
            }
        }
    }
}

这很棒，并且从绝大多数应用程序中消除了XSS漏洞，但是应用程序中的某些插件在grails变量中包含HTML，这些变量在插件的GSP上呈现.如果不修改插件，就无法在不想编码的变量周围添加raw()方法.

This is great and removes XSS vulnerabilities from the vast majority of the application, but some plugins in the application include HTML in grails variables which are rendered on the GSPs in the plugins. Without modifying the plugin, I can't add the raw() method around the variables I don't want to encode.

我浏览了grails文档，可能只是在错误的位置查找，但找不到答案...

I've looked through the grails docs and may just be looking in the wrong place, but I couldn't find an answer...

是否可以从gsp编解码器中排除插件?甚至是特定的控制器/视图?

Is there a way to exclude a plugin from the gsp codecs? Or even a specific controller/view?

推荐答案

所以我终于有时间重新审视并进行更多研究.最终偶然发现了关于github的讨论( https://github.com/grails/grails -core/wiki/Default-Codecs ).

So I finally had time to revisit this and do some more research. Eventually stumbled across a discussion on github (https://github.com/grails/grails-core/wiki/Default-Codecs).

关于每插件"编码的部分内容如下:

A section about Per Plugin encoding reads as follows:

" Grails还具有控制每个插件使用的编解码器的功能.例如，如果您安装了名为foo的插件，则将以下配置放置在应用程序的Config.groovy中将仅对foo插件禁用编码

" Grails also features the ability to control the codecs used on a per plugin basis. For example if you have a plugin named foo installed, then placing the following configuration in your application's Config.groovy will disabling encoding for only the foo plugin

foo.grails.views.gsp.codecs.expression = "none"

"

在极少数情况下的旁注:

Side note in rare circumstances:

我在Config文件中保留字时遇到了其他问题.我们正在使用一个名为"custom-user-interface"的插件，并试图以相同的方式对其进行引用.

I ran into additional problems with reserved words in the Config file. We were using a plugin called 'custom-user-interface' and attempting to reference it in the same way"

custom-user-interface.grails.views.gsp.codecs.expression = "none"

未能编译，因为grails试图将接口"视为具有某种含义.尝试将其放置在字符串中

failed to compile because grails tried to treat "interface" as though it meant something. Attempting to place this in a string

'custom-user-interface'.grails.views.gsp.codecs.expression = "none"

也无法编译，并显示错误字符串没有属性'grails'"

also failed to compile with the error "no property 'grails' for String"

最终，我能够对其进行转义，并使用方括号表示法成功地迫使插件按照我想要的方式运行:

Eventually I was able to escape it and use bracket notation to successfully force the plugin to behave the way I wanted:

custom-'user-interface' {
   grails.views.gsp.codecs.expression = 'none'
}

这篇关于如何从Grails默认gsp编码中排除插件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！