[
https://issues.apache.org/jira/browse/GROOVY-2885?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17195358#comment-17195358
]
Sergey Ponomarev commented on GROOVY-2885:
------------------------------------------
{quote}
Is the recommendation here to have Groovy include functionality like Grails'
#encodeAsHTML()?
{quote}
IMHO yes, for a few reason:
1. Some users who uses just a plain Groovy may be confused when they search for
a way to encode a string as HTML and found a solution on SO for Grails. On my
current project we use Groovy for email templates and I really need the method
2. From architectural point of view it's not cool that Grails adds mixins to
basic Java classes. Even if we need this then it would be better to do Groovy
lang level.
3. Such functions that are critical for a security should be available as easy
as possible. Even if programmer just sees them in IDE autocomplete this at
least makes programmers familiar that they have such approach and that
sometimes they should escape HTML.
Even more, I think this should be added to java.lang.String on JDK level.
Anyway Groovy also provides some
[StringEscapeUtils|http://docs.groovy-lang.org/latest/html/gapi/groovy/json/StringEscapeUtils.html]
which anyway doesn't have the escapeHTML() method while in JavaDoc it's said:
{quote}
Escapes and unescapes Strings for Java, Java Script, HTML, XML, and SQL.
Note that this version is a stripped down version from Commons Lang 2.6 with
only necessary methods for JSON builder
{quote}
I.e. initially the class was copied from [Commons Lang
StringEscapeUtils|https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/StringEscapeUtils.html]
and even have an original JavaDoc where said that the class provides escape of
HTML but everything was removed except of JSON utilities.
So as a workaround solution we may copy those stripped functions back to
groovy.json.StringEscapeUtils.
Still we have some mess and [almost each
framework|https://stackoverflow.com/questions/1265282/recommended-method-for-escaping-html-in-java]
provides it's own escape HTML function:
* Commons Lang
* OWASP ESAPI
https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/Encoder.java
* Spring HtmlUtils
* Android Html.escapeHtml()
If we can solve the important problem on Groovy level then it may worth to do.
> Add encode() method to java.lang.String
> ---------------------------------------
>
> Key: GROOVY-2885
> URL: https://issues.apache.org/jira/browse/GROOVY-2885
> Project: Groovy
> Issue Type: Improvement
> Components: groovy-jdk
> Reporter: Michal Szklanowski
> Assignee: Paul King
> Priority: Minor
>
> Can you add encode() method to java.lang.String in one of the upcoming
> versions of Groovy?
> It would be very useful to just execute encode on any String and get encoded
> String, without calling URLEncoder directly.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
