Simply, add .encodeAsHTML() to everything that users have input on and are printed to views.
For example, if the malicious user changes his/her name to <script src="evilscript.js">giveMeAdminRights(); </script> , using user.name.encodeAsHTML() will prevent the script from being run when the admin views the user's profile.
Also the fieldValue tag will do the same, like this: <g:fieldValue bean="${user}" field="name"/ >
Ei kommentteja:
Lähetä kommentti