I have implemented two versions of xss sanitization for issue RA-452 (persistent xss in patient registration address field) in my fork:
1.) Controller-implemented, in the registration app (RegisterPatientFragmentController.java):
2.) gsp-implemented, in coreapps (contactInfoInline.gsp):
The way I look at it, when controller-based sanitization is in place, view designers don’t have to worry about sanitizing data they draw from the backend. On the other hand, future backend developers who add additional String attributes to the patient or person models will also have to remember to update controller sanitizing functions.
gsp-implemented sanitization has the opposite effect: view designers have to worry about sanitizing backend data that is presented in html, but backend controller development can proceed without worrying about XSS.
I couldn’t find anything on the wiki on this particular issue and I am looking for feedback about which method is preferable from those of you with more experience.
As of to date, we have been doing the second option, that is sanitising at the view layer.