grailsxssgrails-orm

How to protect against XSS attacks in Grails app


In my Grails app I'm extracting text from the params and using that as parameters in my Domain queries:

Example:

def color = Colors.findByName(params.colorname)

I imagine someone could fiddle with the params.colorname parameter to run bad queries against my mysql database.

What are some of the good practices to protect against things like these?


Solution

  • When you render a field in your view that could potentially contain an XSS attack, you need to encode it as HTML. You should make all fields that contain user input are encoded. All of the standard Grails tags encode as HTML. If you use ${} in a view though, that's where you can run into trouble. You need to either manually encode it like ${colorname.encodeAsHTML()} or use a tag like fieldValue if it's a bean property.

    You can also set the global default codec with grails.views.default.codec = "html" in Config.groovy.

    Watch out for double encoding and making sure you encode as HTML in your custom tags.

    You also reference SQL injection attacks, which are different from XSS attacks. You're only at risk of SQL injection if you're writing your own SQL or HQL and directly interpolating user input into the SQL/HQL. That means do Colors.executeQuery("from Colors where name like ?", params.colorname) instead of Colors.executeQuery("from Colors where name like $params.colorname").