I've pushed some changes to scb-safebuffer branch: https://github.com/grails/grails-core/commits/scb-safebuffer . This branch has the "safe buffer" solution I've had as a goal.
There are a few things on my todo list that should be done before 2.3 M1 release:
- rename "mimeType" to "contentType" in the code, for consistency
- add separate active "codec" setting for taglibs internally (taglibCodec)
- solve how inheriting active codecs should behave. Do we need "inherit to next" or "inherit to all" separately?
- implement the configuration of default codecs
- implement the configuration of default codecs for plugins
- implement codec aliasing to solve the html -> xml or html4 "redirection"
- check how the "safebuffer" should check if a buffer part should be applied. is the current "isSafe" solution ok? Do we need a separate solution for checking if a certain codec should be applied or not
implement unit tests for these usecases:
- output should be safe at the end
- detailed test document showing a GSP + Taglib that uses a default HTML codec but also writes out JS data inline in the GSP, and writes out JS data inline using a call to a TagLib, and a call to a tag that renders pre-escaped HTML content, and so on
- tag output must not be automatically encoded.
- tag call as function call should use defaultEncodeAs / encodeAsForTags settings
- scriptlets should apply outCodec
- double encoding should be prevented
- Plugins cannot have their pages break because the app developer changes default codec setting.
- Ideally the user should never need to explicitly think about codecs or calling them except in rare situations.
- Add a function/tag to switch the current default codec - effectively pushing and popping a default codec stack. This could take the form of a withCodec(name, Closure) method in tags.
- <g:render> and similar tags would need to set default codec to HTML again when including another GSP, pushing whatever was default onto a stack
- Add support for an optional encodeAs attribute to all tags automatically, such that the result will be encoded with that codec if specified i.e. var s = \$
- All GSPs in app or plugins default to HTML codec unless developer does something to change that using directive/tag
- All outputs of expressions/inline code apply the current default codec
- Tags are responsible for the correct encoding of their output, unless specified in encodeAs= attribute
- It's possible to use raw codec to mark some output as something that shouldn't be escaped
- support map argument to encodeAs attribute so that templateCodec, pageCodec & defaultCode can be changed separately