If you scan the whole page wouldn't it affect performance? Or will you put a safeguard in the input field / processing query parameters?
2010/2/2 Naftoli Gugenheim <[email protected]>: > Is that not a defect of the browsers? > > On Tue, Feb 2, 2010 at 7:57 PM, David Pollak <[email protected]> > wrote: >> Folks, >> >> Turns out there's a security vulnerability in Lift. It's possible to insert >> control characters into input fields. When the control characters are sent >> back to the browser, the browser will choke. An example can be seen at >> http://demo.liftweb.net Go to that page, enter your name in the chat input >> box and then reload the page. In Firefox, the page will not be rendered at >> all. In Chrome, rendering will stop at the point that the control character >> is encountered. This can cause a denial of service attack on any page that >> contains user input. >> >> I will work on a fix for this vulnerability (filter control characters other >> than \n and \r from Text fields when the page is being sent back to the >> browser.) >> >> I'd like to get a sense of how important the community views this defect. >> Is it a "backport the fix to every milestone and release yesterday" or is it >> a "fix it in 2.0-M2" or someplace in between. >> >> Thanks, >> >> David >> >> -- >> Lift, the simply functional web framework http://liftweb.net >> Beginning Scala http://www.apress.com/book/view/1430219890 >> Follow me: http://twitter.com/dpp >> Surf the harmonics >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Lift" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/liftweb?hl=en. >> > > -- You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
