Since Grails 2.3 all ${} expression output is automatically escaped on GSPs. This is very useful, because user input is now escaped and any HTML or JavaScript in the input value is escaped and not interpreted by the browser as HTML or JavaScript. This is done so our Grails application is protected from Cross Site Scripting (XSS) attacks.
But sometimes we do want to output unescaped HTML content in the web browser. For example we generate the value ourselves and we know the value is safe and cannot be misused for XSS attacks. In Grails 2.3 we can use a new raw()
method in our GSPs, tag libraries or controllers. The method will leave the content unchanged and return the unescaped value to be displayed. Alternatively we can use encodeAsRaw()
on the content we want to leave unescaped. Finally the encodeAs
tag accepts Raw
or None
as values for the attribute codec
and will return the unescaped value.
In the following sample GSP we display the value of the content
model property passed to the page. The value is set by a controller and is <em>sample</em> content
.
... <h2>Raw output samples</h2> <table> <tr><th>Expression</th><th>Result</th></tr> <tr> <td>${'${content}'}</td> <td>${content}</td> </tr> <tr> <td>${'${raw(content)}'}</td> <td>${raw(content)}</td></tr> <tr> <td>${'${content.encodeAsRaw()}'}</td> <td>${content.encodeAsRaw()}</td> </tr> <tr> <td>${'<g:encodeAs codec="Raw">${content}</g:encodeAs>'}</td> <td><g:encodeAs codec="Raw">${content}</g:encodeAs></td> </tr> <tr> <td>${'<g:encodeAs codec="None">${content}</g:encodeAs>'}</td> <td><g:encodeAs codec="None">${content}</g:encodeAs></td> </tr> </table> ...
In our web browser we see the following output:
Code written with Grails 2.3.