Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Grails Goodness: Generating Raw Output with Raw Codec

DZone's Guide to

Grails Goodness: Generating Raw Output with Raw Codec

· Java Zone
Free Resource

Download Microservices for Java Developers: A hands-on introduction to frameworks and containers. Brought to you in partnership with Red Hat.

Since Grails 2.3 all ${} expression output is automatically escaped on GSPs. This is very useful, because user input is now escaped and any HTML or JavaScript in the input value is escaped and not interpreted by the browser as HTML or JavaScript. This is done so our Grails application is protected from Cross Site Scripting (XSS) attacks.

But sometimes we do want to output unescaped HTML content in the web browser. For example we generate the value ourselves and we know the value is safe and cannot be misused for XSS attacks. In Grails 2.3 we can use a new raw() method in our GSPs, tag libraries or controllers. The method will leave the content unchanged and return the unescaped value to be displayed. Alternatively we can use encodeAsRaw() on the content we want to leave unescaped. Finally the encodeAs tag accepts Raw or None as values for the attribute codec and will return the unescaped value.

In the following sample GSP we display the value of the content model property passed to the page. The value is set by a controller and is<em>sample</em> content.

...
  <h2>Raw output samples</h2>

  <table>
      <tr><th>Expression</th><th>Result</th></tr>
      <tr>
          <td>${'${content}'}</td>
          <td>${content}</td>
      </tr>
      <tr>
          <td>${'${raw(content)}'}</td>
          <td>${raw(content)}</td></tr>
      <tr>
          <td>${'${content.encodeAsRaw()}'}</td>
          <td>${content.encodeAsRaw()}</td>
      </tr>
      <tr>
          <td>${'<g:encodeAs codec="Raw">${content}</g:encodeAs>'}</td>
          <td><g:encodeAs codec="Raw">${content}</g:encodeAs></td>
      </tr>
      <tr>
          <td>${'<g:encodeAs codec="None">${content}</g:encodeAs>'}</td>
          <td><g:encodeAs codec="None">${content}</g:encodeAs></td>
      </tr>
  </table>
...

In our web browser we see the following output:

Code written with Grails 2.3.

Download Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design. Brought to you in partnership with Red Hat

Topics:

Published at DZone with permission of Hubert Klein Ikkink, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}