Where can I see the specification for thymeleaf th:method? - thymeleaf

I've seen a lot of answers about how to send PUT/DELETE/PATCH HTTP requests with thymeleaf, and it's by using th:method = "the_specific_method", but i haven't found the thymeleaf specification about that. Can anyone help showing me where is it?
Thanks in advance.
I've tried to google for the answer, but no luck.

th:method isn't special to Thymeleaf -- it's just like any other plain old attribute which will output the result of an expression to the method attribute. It doesn't do (or care about) anything else. You can put any string and/or string expression into it, and Thymeleaf will happily output it.
th:method="${'the_specific_method'}"
will output
method="the_specific_method"
without regards to whether or not it's valid. If you want to learn about the method attribute, you just need to learn about how method works in plain old regular html and how browsers (and/or Spring) work with it.

Related

When do I need to encode with multiple codecs in Grails?

I'm not clear of when (or if) I should use multiple Grails encodeAsXXX calls.
This reference says you need to encodeAsURL and then encodeAsJavaScript: http://grailsrocks.com/blog/2013/4/19/can-i-pwn-your-grails-application
It also says you need to encodeAsURL and then encodeAsHTML, I don't understand why this is necessary in the case shown but not all the time?
Are there other cases I should me using multiple chained encoders?
If I'm rendering a URL to a HTML attribute should I encodeAsURL then encodeAsHTML?
If I'm rendering a URL to a JavaScript variable sent as part of a HTML document (via a SCRIPT element) should I encodeAsURL, encodeAsJavaScript then encodeAsHTML?
If I'm rendering a string to a JavaScript variable sent as part of a HTML document should I encodeAsJavaScript then encodeAsHTML?
The official docs - https://docs.grails.org/latest/guide/security.html - don't show any examples of multiple chained encoders.
I can't see how I can understand what to do here except by finding the source for all the encoders and looking at what they encode and what's valid on the receiving end - but I figure it shouldn't be that hard for a developer and there is probably something simple I'm missing or some instructions I haven't found.
FWIW, I think the encoders I'm talking about are these ones:
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/util/JavaScriptUtils.html#javaScriptEscape-java.lang.String-
https://docs.oracle.com/javase/7/docs/api/java/net/URLEncoder.html#encode(java.lang.String,%20java.lang.String)
https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/util/HtmlUtils.html#htmlEscape-java.lang.String-
.
It is certainly important to always consider XSS but in reading your question I think you are overestimating what you need to do. As long as you're using Grails 2.3 or higher and your grails.views.default.codec is set to html which it will be by default, everything rendered in your GSP with ${} will be escaped properly for you.
It is only when you are intentionally bypassing the escaping, such as if you need to get sanitized user input back into valid JavaScript within your GSP for some reason, that you would need to use the encodeAsXXX methods or similar.
I would argue (and the article makes a mention of this as well) that this should raise a smell anyway, as you probably should have that JavaScript encapsulated in a different file or TagLib where the escaping is handled.
Bottom line, use the encoding methods only if you are overriding the default HTML encoding, otherwise ${} handles it for you.

Spring Thymeleaf expression is not working

Can anyone please point out the problem i am facing while passing values through context to a templateEngine please.
<img th:src="${serverURL}/support-images/logo.jpg" height="54" width="108" alt=""></img>
"${serverURL}" : supposed to give me the complete URL where my application is hosted. The error i am getting is "Could not parse as expression: "${serverURL}/support-images/logo.jpg""
It make me realized something is wrong in the syntax but i could not follow the articles available. Can anyone please help!!
Thanks!!
You mix literals and expressions in your attribute. You should probably write <img th:src="${serverURL}+'/support-images/logo.jpg'" height="54" width="108" alt=""></img> for it to work better. See the examples in the documentation.
You may also want to read about the link URL feature in Thymeleaf (#{} notation) that can assist when building URLs.

Swagger UI issue with camelCase

I am facing problem with the query parameters if they are in camelCase format.
for ex : http://localhost:9000/api/hello?personName=test
This format doesnt work with the Swagger UI. Swagger is not able to pickup any parameter defined in camelCase. It shows error "missing required params: presonName".
Hope this is clear now.
Adding one more screen shot with error
thanks
Wierd but true. I ended up finding something which is a very rare case. As you can see in the screen shot, I was using nodeType as a parameter and to my surprise, the word nodeType is a reserved word in "document" object of html. and thats the reason it creates a problem. I just changed the nodeType to nodeTypeStr and it works fine for me. But still it will be good if Swagger developers take care of handling the reserved words.

Rails comments system with bb-code

In my rails 4 app i want to add comments to my articles, but i want to add functional as most forum-engines do (like SMF), and i need to add bb-code for it.
Are there any good gem for it? With rails 4 support? How then in controller i can translate [quote] to some div with some style?
Also how is it good to store html data in database?
For example if i use haml, and somebody post comment as
- current_user.id
or something similar to this, how to secure my app from "bad boys" ? Sure i can change comments system to something like: quote_parent_id, but if i have multiple quotes in one comment? so it is hard to realise, better is to store html, but to secure it somehow.
Could i do this? And how? Please give good ideas, tutorials, gem-links.
Look into https://github.com/veger/ruby-bbcode
Since it converts to HTML and does not excecute user input as Ruby code - you'll be fairly safe. However, I havent tried the gem and its possible it introduces some XSS vulnerabilities.
Have you considered Markdown as an option?
You should also look into https://github.com/asceth/bbcoder ( I should note I am the original author ).
In the controller, changing a string such as "[quote=user]My post of epic importance[/quote]" into a div etc is just doing:
# assume params[:comment] is the text you are converting
params[:comment].bbcode_to_html
As for storing html in a database, there is no right or wrong answer. If you want to allow users to edit their posts later then I would lean towards not storing the html version but storing their original bbcode version. This way when you allow them to edit you aren't having to convert html back to bbcode.
To make sure you aren't open to XSS and other attacks I recommend combining other gems like sanitize.
Sanitize.clean(text.to_s).bbcode_to_html
Some more notes:
Multiple tags and nested tags are parsed as they are seen without any additional steps required. So a comment or post with lots of bbcode tags, multiple quotes, b tags or anything else is dealt with by just calling bbcode_to_html on the variable/string.
If a user tries to use haml in their post it should appear as-is. haml shouldn't try to eval the string unless you specifically tell it to which I'm not even sure how to do that unless haml as a special filter or operator.

Struts 2 - is there any way to escape HTML in input fields?

When I allow a user to enter text using s:textfield, he can enter something like <b>Name</b> or something like \Me/. I want that these should be escaped before I am saving them to the database. When we retrieve them, the escaping is done automatically, but I want it to happen also when we are saving it.
I was trying to return a json output from my action class, but due to a name \a/ stored in my database, wrong json was being formed. This would have been avoided if the name had been escaped before being saved into the database.
You can use StringEscapeUtils. You can call escapeJavascript(textfield) in your action and then store it into the database.
#Daud, The problem you explained is called Cross site scripting or XSS.
And I think you should use Filters to clean the request parameters. This is the most sophisticated way. You can call these filters for the actions which are posting some parameters via request.
Visit my blog to see how to avoid XSS threat using Filter approach.
I also faced this issue when our project was tested by well known firm specializing in security testing and they suggested this filter approach.
You can give it a try.

Resources