Plugins You can find out about all the publicly available Grails plugins.

Grails Markup Sanitizer Plugin

  • Tags: codec, tinymce
  • Latest: 0.12.0
  • Last Updated: 09 March 2015
  • Grails version: 2.4.0 > *
  • Authors: Daniel Bower
2 votes
compile "org.grails.plugins:sanitizer:0.12.0"



Plugin for Sanitizing Markup(HTML, XHTML, CSS) using OWASP AntiSamy.


grails install-plugin sanitizer


Plugin for Sanitizing Markup(HTML, XHTML, CSS) using OWASP AntiSamy Filters malicious content from User generated content (such as that entered through Rich Text boxes).


  • Ruleset in src/groovy/antisamy/antisamy-policy.xml - User chooses which of 3 defaults to use, as well as edit further if necessary.
  • Constraint "markup"
    • can be added to domain/command classes to validate that a string is valid and safe markup
    • important note: The constraint is for validation only, it does not sanitize the string
  • Encoding-only Codec "myText.encodeAsSanitizedMarkup()"
    • use the codec or the service to sanitize the string
    • (the codec uses the service, too)
  • MarkupSanitizerService
    • use the codec or the service to sanitize the string
    • access in your controllers/services via: def markupSanitizerService
    • method MarkupSanitizerResult sanitize(String dirtyString)
    • effectively a singleton, which means the ruleset only needs to be read once on startup


  • Use 0.10.x versions for Grails 2.2.x
  • Use 0.11.x versions for Grails 2.3.x
  • Use 0.12.x versions for Grails 2.4.x

Bugreports - Github

Please feel free to send me any results of any testing you may do.

This module does not sanitize a string that does not contain valid markup. If it does not contain valid markup, it will simply return an empty string.

Example using encodeAsSanitizedMarkup

In your domain/command object add a constraint to inform the user if they've submitted invalid markup:

static constraints = {

text(maxSize: 65000, markup:true)


In your controller in both the save and the update add:

@def save = {

def newsItemInstance = new NewsItem(params)


// give the user a clue


render(view: "create", model: [newsItemInstance: newsItemInstance])




newsItemInstance.text = newsItemInstance.text.encodeAsSanitizedMarkup()

if ( true)) {



If you would like a generic error message instead of a specific error message you can edit, and simply set:

myCommand.field.markup.error.field=My generic error message

In the latest version of sanitizer, you can add this config value to Config.groovy

By default, if there is a message given by the sanitizer during cleaning, the sanitizer codec will return an empty string. Setting trustSanitizer to true will allow you to ignore the messages issued by the sanitizer and just use the output.

Example using Service

Use the sanitizer as follows in controllers or other services:

import org.grails.plugins.sanitizer.MarkupSanitizerResult


// inject service def markupSanitizerService


// implement the sanitizer in a method of your choice MarkupSanitizerResult result = markupSanitizerService.sanitize(input) if(!result.isInvalidMarkup()) { //return result.cleanString } else { //return result.errorMessages //return result.cleanString }


Sanitizer source code is now at github: