Folks, Turns out there's a security vulnerability in Lift. It's possible to insert control characters into input fields. When the control characters are sent back to the browser, the browser will choke. An example can be seen at http://demo.liftweb.net Go to that page, enter your name in the chat input box and then reload the page. In Firefox, the page will not be rendered at all. In Chrome, rendering will stop at the point that the control character is encountered. This can cause a denial of service attack on any page that contains user input.
I will work on a fix for this vulnerability (filter control characters other than \n and \r from Text fields when the page is being sent back to the browser.) I'd like to get a sense of how important the community views this defect. Is it a "backport the fix to every milestone and release yesterday" or is it a "fix it in 2.0-M2" or someplace in between. Thanks, David -- Lift, the simply functional web framework http://liftweb.net Beginning Scala http://www.apress.com/book/view/1430219890 Follow me: http://twitter.com/dpp Surf the harmonics -- You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
