Default Codecs

Challenge

A default codec of HTML for GSPs is useful to protect applications from Cross Site Scripting (XSS) attacks. The trouble is, the default codec applies to all GSPs, including those provided by plugins. Since it's the application developer that controls the settings, how does a plugin know whether to encode a value as HTML or not? What if a value should be encoded as Javascript rather than HTML?

You can currently override the default codec for a GSP through a defaultCodec page directive, but finer-grained control would be nice.

The problems can be expressed as the following:

Out of the box, apps and plugins should be immune to such XSS attacks, unless the developers explicitly take action to change the default behaviour
There is a risk of double-encoding of data when the developer is not aware of encodings already applied
Plugins cannot have their pages break because the app developer changes default codec setting

Uh oh!

Default Codecs

Challenge

Suggestions

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!