Martin Gaens
04/25/2022, 3:16 PMth:utext
? I'm trying to render a page using Thymeleaf but there are certain parts of the website which are much easier rendered using kotlinx.html
. I'd like to inject them using th:utext
but this Stackoverflow answer and a comment underneath it says it's a security vulnerability.Roukanken
04/26/2022, 9:38 AM<script> /* arbitrary JS */ </script>
and do whatever he wanted every time that gets rendered.
Of course, if you prevent user providing input to this variable, it should not be issue. (But of course, think long and hard why you want to do that)Martin Gaens
04/26/2022, 9:39 AM