Is that not a defect of the browsers? On Tue, Feb 2, 2010 at 7:57 PM, David Pollak <[email protected]> wrote: > Folks, > > Turns out there's a security vulnerability in Lift. It's possible to insert > control characters into input fields. When the control characters are sent > back to the browser, the browser will choke. An example can be seen at > http://demo.liftweb.net Go to that page, enter your name in the chat input > box and then reload the page. In Firefox, the page will not be rendered at > all. In Chrome, rendering will stop at the point that the control character > is encountered. This can cause a denial of service attack on any page that > contains user input. > > I will work on a fix for this vulnerability (filter control characters other > than \n and \r from Text fields when the page is being sent back to the > browser.) > > I'd like to get a sense of how important the community views this defect. > Is it a "backport the fix to every milestone and release yesterday" or is it > a "fix it in 2.0-M2" or someplace in between. > > Thanks, > > David > > -- > Lift, the simply functional web framework http://liftweb.net > Beginning Scala http://www.apress.com/book/view/1430219890 > Follow me: http://twitter.com/dpp > Surf the harmonics > > -- > You received this message because you are subscribed to the Google Groups > "Lift" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/liftweb?hl=en. >
-- You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
