In my Grails app I'm extracting text from the params
and using that as parameters in my Domain queries:
Example:
def color = Colors.findByName(params.colorname)
I imagine someone could fiddle with the params.colorname
parameter to run bad queries against my mysql
database.
What are some of the good practices to protect against things like these?
When you render a field in your view that could potentially contain an XSS attack, you need to encode it as HTML. You should make all fields that contain user input are encoded. All of the standard Grails tags encode as HTML. If you use ${}
in a view though, that's where you can run into trouble. You need to either manually encode it like ${colorname.encodeAsHTML()}
or use a tag like fieldValue
if it's a bean property.
You can also set the global default codec with grails.views.default.codec = "html"
in Config.groovy
.
Watch out for double encoding and making sure you encode as HTML in your custom tags.
You also reference SQL injection attacks, which are different from XSS attacks. You're only at risk of SQL injection if you're writing your own SQL or HQL and directly interpolating user input into the SQL/HQL. That means do Colors.executeQuery("from Colors where name like ?", params.colorname)
instead of Colors.executeQuery("from Colors where name like $params.colorname")
.