Why doesn't grails.views.default.codec default to "html"?

Question

The Grails Config.groovy setting grails.views.default.codec specifies the default codec used to encode data within ${...} in Grails views.

This config setting can take any of the values none (no filtering required), html (to avoid XSS-attacks) and base64 (has no real-world use-case that I know of).

The Grails default is none (no filtering).

Questions:

• Are there any compelling technical reasons not to use the safer option "html"?
• When do you choose to go with the default option of "none" in your Grails projects?

Answer 1

A question on similar topic here.. I don't claim big expertise on this, but I imagine. Why it's not html by default is strange to me. I found GRAILS-2945, where this was proposed but ultimately rejected, without too much explanation. There is also some more information in GRAILS-1827, when the issue was first implemented.