Points To Remember
  • By default, in grails all the html code and script code is escaped.
  • You can render your html string as html in three ways, change in config, change at page level and change at field level. 
Rendering HTML String in a GSP in Grails.
Suppose we have a String like the following and we want it to get rendered as HTML in our gsp. By default out code will get rendered like this.
Hi < br />My name is Ekansh Rastogi < br />I want this in three lines.
But we wanted out output as
My name is Ekansh Rastogi
I want this in three lines.

So, following are the ways in which you can render your HTML String as HTML.
  1. Render the Html String you want to encode as HTML.
    This will encode the string and make it render like html. This will encode only the string on which it is called upon.
  2. Render the all HTML Strings in a page to encode as HTML.
    <%@page expressionCodec="none" %>
    This will render all the html strings in the page as HTML. In this case we may not want to encode each string separately to HTML, just one directive will do our work for the whole page.
  3. Render the all HTML Strings in the Web project to encode as HTML.
    grails {

        views {

            gsp {

                encoding = 'UTF-8'

                htmlcodec = 'xml' // use xml escaping instead of HTML4 escaping

                codecs {

                    expression = 'none' // escapes values inside ${}

                    scriptlet = 'html' // escapes output from scriptlets in GSPs

                    taglib = 'none' // escapes output from taglibs

                    staticparts = 'none' // escapes output from static template parts



            // escapes all not-encoded output at final stage of outputting

            // filteringCodecForContentType.'text/html' = 'html'


    This will render all the html strings in the whole web application. In this case we may not need to encode each string field as HTML nor do we need to add the page directives on each page.
Please note that, making all the html strings to encode as HTML will make your site vulnerable to attacks like Cross Site Scripting.  So it is advised to make use of this very judiciously.