Escaping Output to Mitigate XSS - spring form tag htmlEscape equivalent? #877
-
|
I'm currently working on a project to migrate jsp files to thymeleaf. I'm aware that the spring form tag has an htmlEscape attribute that will escape user input when rendering, such as when the user submits an invalid form and the user input is rendered bound to the form. Is there a standard way to achieve this same functionality in thymeleaf? Is XSS protection built into thymeleaf? To clarify, I'm looking for output-escaping here, which is something that happens on the server side when processing a template to render. Here is a brief article to give you an idea of what I mean regarding the spring behavior. I've also asked this over on Stack Overflow |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hey there, so HTML escaping is built into Thymeleaf by default, and you usually have to go out of your way to turn it off (eg: use specific attribute processors that are made for leaving text unescaped). I can't seem to find much mention of this in the docs though, with the closest thing being this section in the general Thymeleaf tutorial about how to emit unescaped text: https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#more-on-texts-and-variables Just to double check, I looked the code for the At line 111 it gets the object to work on from the Spring backing bean, and that |
Beta Was this translation helpful? Give feedback.
-
|
Thank you Emanuel this is really helpful! I went through and manually checked all the uses of getDisplayString() where htmlEscape is false and can verify that in these cases, the output is HTML escaped before displaying (in the case of SpringErrorTagProcessor and SpringUErrorsTagProcessor), they don't output any content to escape (SpringSelectedValueComparator returns a boolean), or the expression is a bound object (SPELVariableExpressionEvaluator). I wonder if it would help to add a more explicit statement about this in the docs for the benefit of others? |
Beta Was this translation helpful? Give feedback.
-
|
Yep, having something about this in the docs could definitely be useful. I've raised thymeleaf/thymeleaf-docs#84 for this |
Beta Was this translation helpful? Give feedback.
Hey there, so HTML escaping is built into Thymeleaf by default, and you usually have to go out of your way to turn it off (eg: use specific attribute processors that are made for leaving text unescaped). I can't seem to find much mention of this in the docs though, with the closest thing being this section in the general Thymeleaf tutorial about how to emit unescaped text: https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#more-on-texts-and-variables
Just to double check, I looked the code for the
th:input="text"processor in thethymeleaf-springproject, which is this file here: https://github.com/thymeleaf/thymeleaf-spring/blob/3.1-master/thymeleaf-spring5/src/main/java/org…