Talk:Grails Secure Code Review Cheat Sheet

presentation on encoding properly for the context). - use them. And not just "it must not be null" or "it must be less than 20 characters", but real format validation. http://grails.org/doc/latest/guide/single.html#security - it *really* is pretty good, including XSRF prevention, although I think the "Guessable ID's" section could use some fleshing out (make a map of the objects the user should be able to access, check against that, or don't send PK's at all - send keys into the map).
 * HTML/Javascript/URL Encode stuff as appropriate (see Manico's
 * There are lots of built-in model validation constraints available to you
 * Use useToken on Forms
 * Do all the stuff listed in