https://kotlinlang.org logo
Title
m

Martin Gaens

04/25/2022, 3:16 PM
How big of a security vulnerability is using Thymeleaf's
th:utext
? I'm trying to render a page using Thymeleaf but there are certain parts of the website which are much easier rendered using
kotlinx.html
. I'd like to inject them using
th:utext
but this Stackoverflow answer and a comment underneath it says it's a security vulnerability.
r

Roukanken

04/26/2022, 9:38 AM
A giant one: you have to avoid getting any user input inside that. Eg, if user could provide content of the variable, he could just provide
<script> /* arbitrary JS */ </script>
and do whatever he wanted every time that gets rendered. Of course, if you prevent user providing input to this variable, it should not be issue. (But of course, think long and hard why you want to do that)
m

Martin Gaens

04/26/2022, 9:39 AM
Yeah, understandable. Thank you. What are my other options?
If I want to mix kotlinx.html with let's say Thymeleaf.