在没有 Grails 的普通 Spring MVC 中使用 GSP 视图
我想在普通的旧 Spring MVC 应用程序中使用 GSP 视图而不是 JSP/JSTL 视图。我在 web.xml 中添加了一个 groovy.servlet.TemplateServlet,如下所示:
<servlet>
<servlet-name>GroovyTemplate</servlet-name>
<servlet-class>groovy.servlet.TemplateServlet</servlet-class>
<init-param>
<param-name>template.engine</param-name>
<param-value>groovy.text.GStringTemplateEngine</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>GroovyTemplate</servlet-name>
<url-pattern>*.gsp</url-pattern>
</servlet-mapping>
并设置一个 Spring InternalResourceViewResolver 来加载 GPS 文件。到目前为止,一切都工作正常,但为了将模型中的值公开给模板,我必须采取一些技巧(子类化 TemplateServlet 并将它们添加到 ServletBinding)。
现在我的下一个障碍是,JSTL 在使用 c:out 标记时默认会转义 XML,而 Grails 具有编解码器的概念,可以自动转义 GSP 中使用的值。上面介绍的模板方法默认是不会逃逸的,这就需要开发者非常小心,避免XSS漏洞。
是否有另一种(更好的)方法来使用 GSP,包括在普通 Spring MVC 应用程序中自动转义而不使用 Grails?
I would like to use GSP views instead of JSP/JSTL views in a plain old Spring MVC application. I have added a groovy.servlet.TemplateServlet to web.xml like this:
<servlet>
<servlet-name>GroovyTemplate</servlet-name>
<servlet-class>groovy.servlet.TemplateServlet</servlet-class>
<init-param>
<param-name>template.engine</param-name>
<param-value>groovy.text.GStringTemplateEngine</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>GroovyTemplate</servlet-name>
<url-pattern>*.gsp</url-pattern>
</servlet-mapping>
And setup a Spring InternalResourceViewResolver to load the GPS files. Upto this point it all works fine, but to expose the values in the Model to the template I had to do some tricks (subclassing TemplateServlet and adding them to the ServletBinding).
Now my next obstacle is that JSTL by default escapes XML when using the c:out tag and Grails has the notion of codecs to automatically escape values used in a GSP. The template method described above does not escape by default, which requires the developers to be very careful to avoid XSS vulnerabilities.
Is there another (better) way to use GSP including automatic escaping in a plain Spring MVC application without using Grails?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
今天,Spring Boot 的 GSP 刚刚发布。这提供了在常规 Spring Web 应用程序中使用 GSP 而不是 JSP 的能力。您可以在此处查看示例: https://github.com/grails/grails-boot/blob/master/sample-apps/gsp/script/templates/index.gsp
Today GSP for Spring Boot was just released. This provides the ability to use GSP instead of JSP in a regular Spring web application. You can see an example here: https://github.com/grails/grails-boot/blob/master/sample-apps/gsp/script/templates/index.gsp
您也可以使用
GroovyPagesServlet来实现此目的,而不是使用TemplateServlet(我还没有对此进行测试,只是查看了 Grails 的 web.xml< /em> 和类的代码)。后者需要设置一个名为
groovyPagesTemplateEngine的 Spring bean,并键入GroovyPagesTemplateEngine(本例中为GStringTemplateEngine)。使用
InternalResourceViewResolver配置视图层是正确的。您将分配一个GroovyPageView。默认情况下,GSP 未配置为执行 HTML 输出转义。要进行配置,请在 Config.groovy 中将
grails.views.default.codec从none更改为html。有关详细信息,请参阅本文。Instead of using a
TemplateServlet, you could have also used aGroovyPagesServletfor that purpose (I haven't tested that, just looked at Grails' web.xml and the class' code).The latter requires a Spring bean to be setup, named
groovyPagesTemplateEngine, and typedGroovyPagesTemplateEngine(GStringTemplateEnginein this case).Configuring the view layer with an
InternalResourceViewResolveris correct. You'll have assigned aGroovyPageView.GSPs, by default, are not configured to perform HTML output escaping. To configure that, change
grails.views.default.codecfromnonetohtmlin Config.groovy. See this article for more information.我们从 Grails 中提取了 GSP,针对 Spring MVC 应用程序进行了定制,并改进了配置支持。请参阅我们的工具 Rabbtor 。我们不提供开源的,但使用是免费的,并且我们一直在我们自己的应用程序中使用它。 Spring Boot 的 GSP 依赖于 Spring boot,它不被维护,并且一些标签库依赖于 Grails。我们删除了这些依赖项,创建了自己的自定义标签库,更适合 Spring MVC 应用程序。支持大多数标签库,并且与 Spring JSP 标签具有类似的实现。提供了数据绑定表单标签库,您也可以注册标签库或包。
We have extracted GSP from Grails, customized it for Spring MVC applications and improved configuration support. Please see our tool Rabbtor. We don't provide it open source, but usage is free of charge and we have been using it in our own applications. GSP for Spring Boot depends on Spring boot, it is not maintained and some tag libraries depend on Grails. We removed these dependencies, created our own custom tag libraries which better suit Spring MVC apps.Most tag libraries are supported and have similar implemantations to Spring JSP tags.A data-bound form tag library is provided and also you can register your tag libs or packages.