I can reproduce it in our application, but I think it is not necessarily due to Lift. This is what I am trying to sort out. We have client-side javascript which is sending JSON commands to the server and things blow up once things come back from the server. In this case, Lift is not responsible for the rendering so I would say this is an application issue.
I am poking at the demo lift application to try to flush out issues common to the group and understand what is a framework issue and what needs to be addressed by the application. Thanks. Dan On Mar 5, 9:47 am, Naftoli Gugenheim <naftoli...@gmail.com> wrote: > Can you reproduce the vulnerability in your own M3 app? > > ------------------------------------- > > Dano<olearydani...@gmail.com> wrote: > > I would never claim to be astute. However, I did observe that > demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the > bottom of the page. I also observed that the Wizard example is still > broken (paste binary characters into 'First Name' and then click the > Next button). I have not yet registered for an account with Assembla > but would be happy to file the bug. > > Dan > > On Mar 4, 7:33 pm, Ross Mellgren <dri...@gmail.com> wrote: > > > > > > > Check dpp's response as of 8:01 > > > -Ross > > > On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: > > > > What version is the demo running? > > > > ------------------------------------- > > > Dano<olearydani...@gmail.com> wrote: > > > > Just saw that Lift 2.0-M3 was released. I looked to see if the > > > vulnerability was still present in demo.liftweb.net and I am still > > > able to generate exceptions in the browser when I paste binary > > > characters in the textfields for the Wizard, Wizard Challenge, and Arc > > > Challenge examples in the Misc section. > > > > Don't know if this remaining problem is supposed to be handled by the > > > application or framework, but thought I would make a post to alert the > > > group. > > > > Dan > > > > On Feb 24, 11:49 am, Dano <olearydani...@gmail.com> wrote: > > >> The recent scala days conference activity may have cause the updates > > >> to this thread to escape notice. Just wondering if there is concern > > >> about the remaining binary character problems I noted in my prior > > >> post. > > > >> Thanks in advance. > > > >> Dan > > > >> On Feb 22, 1:34 pm, Dano <olearydani...@gmail.com> wrote: > > > >>> More information on this in case anyone is interested. If you go to > > >>> theliftdemo website, it appears the issue with characters is mostly > > >>> addressed except for the "Misc code" section. Specifically, the > > >>> "Wizard", "Wizard Challenge" and "Arc Challenge #1" examples will > > >>> generate XML parsing errors. > > > >>> For these problems, I am not sure if the issue if the example or the > > >>> framework. If the issue is with the example, it would be good to know > > >>> whatLiftapps need to do to avoid getting bitten by binary characters > > >>> entered into form fields. > > > >>> Thanks in advance. > > > >>> Dan > > > >>> On Feb 17, 11:06 am, Dano <olearydani...@gmail.com> wrote: > > > >>>> Hello, > > > >>>> I was wondering if the fix for the control characters issue was > > >>>> included in 2.0-M2. I just did a test with ourLiftapplication built > > >>>> with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions > > >>>> - NS_ERROR_INVALID_POINTER). > > > >>>> Thanks in advance. > > > >>>> Dan > > > >>>> On Feb 3, 9:08 am, David Pollak <feeder.of.the.be...@gmail.com> wrote: > > > >>>>> Thanks for pointing that out. There are other problems as well... > > >>>>> I'll fix > > >>>>> them (in both the Scala andLiftdiffs) > > > >>>>> On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang <sharpzh...@gmail.com> > > >>>>> wrote: > > >>>>>> I found that in the fix, \n is changed to \t, while \t to \n. Is this > > >>>>>> desired behavior? > > > >>>>>> Thank you, > > > >>>>>> Feng > > > >>>>>> On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri > > >>>>>> <indraj...@gmail.com > > >>>>>>> wrote: > > > >>>>>>> 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. > > > >>>>>>> 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x > > >>>>>>> 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this > > >>>>>>> vulnerability fix isn't fun. > > > >>>>>>> Cheers, Indrajit > > > >>>>>>> On 03/02/10 3:34 PM, Timothy Perrett wrote: > > > >>>>>>>> +1 > > > >>>>>>>> Fix it in head, no need to back-port; M2 is only around the corner. > > > >>>>>>>> Cheers, Tim > > > >>>>>>>> On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: > > > >>>>>>>> David Pollak<feeder.of.the.be...@gmail.com> writes: > > > >>>>>>>>> I'd like to get a sense of how important the community views this > > >>>>>>>>>> defect. > > >>>>>>>>>> Is it a "backport the fix to every milestone and release > > >>>>>>>>>> yesterday" or > > >>>>>>>>>> is it > > >>>>>>>>>> a "fix it in 2.0-M2" or someplace in between. > > > >>>>>>>>> For me, it's fix it in 2.0-SNAPSHOT > > > >>>>>>>>> /Jeppe > > > >>>>>>>>> -- > > >>>>>>>>> You received this message because you are subscribed to the Google > > >>>>>>>>> Groups "Lift" group. > > >>>>>>>>> To post to this group, send email to lift...@googlegroups.com. > > >>>>>>>>> To unsubscribe from this group, send email to > > >>>>>>>>> liftweb+unsubscr...@googlegroups.com<liftweb%2bunsubscr...@googlegroups.com > > >>>>>>>>> > > > >>>>>>>>> . > > >>>>>>>>> For more options, visit this group at > > >>>>>>>>>http://groups.google.com/group/liftweb?hl=en. > > > >>>>>>> -- > > >>>>>>> You received this message because you are subscribed to the Google > > >>>>>>> Groups > > >>>>>>> "Lift" group. > > >>>>>>> To post to this group, send email to lift...@googlegroups.com. > > >>>>>>> To unsubscribe from this group, send email to > > >>>>>>> liftweb+unsubscr...@googlegroups.com<liftweb%2bunsubscr...@googlegroups.com > > >>>>>>> > > > >>>>>>> . > > >>>>>>> For more options, visit this group at > > >>>>>>>http://groups.google.com/group/liftweb?hl=en. > > > >>>>>> -- > > >>>>>> You received this message because you are subscribed to the Google > > >>>>>> Groups > > >>>>>> "Lift" group. > > >>>>>> To post to this group, send email to lift...@googlegroups.com. > > >>>>>> To unsubscribe from this group, send email to > > >>>>>> liftweb+unsubscr...@googlegroups.com<liftweb%2bunsubscr...@googlegroups.com > > >>>>>> > > > >>>>>> . > > >>>>>> For more options, visit this group at > > >>>>>>http://groups.google.com/group/liftweb?hl=en. > > > >>>>> -- > > >>>>> Lift, the simply functional web frameworkhttp://liftweb.net > > >>>>> Beginning Scalahttp://www.apress.com/book/view/1430219890 > > >>>>> Follow me:http://twitter.com/dpp > > >>>>> Surf the harmonics > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "Lift" group. > > > To post to this group, send email to lift...@googlegroups.com. > > > To unsubscribe from this group, send email to > > > liftweb+unsubscr...@googlegroups.com. > > > For more options, visit this group > > > athttp://groups.google.com/group/liftweb?hl=en. > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "Lift" group. > > > To post to this group, send email to lift...@googlegroups.com. > > > To unsubscribe from this group, send email to > > > liftweb+unsubscr...@googlegroups.com. > > > For more options, visit this group > > > athttp://groups.google.com/group/liftweb?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Lift" group. > To post to this group, send email to lift...@googlegroups.com. > To unsubscribe from this group, send email to > liftweb+unsubscr...@googlegroups.com. > For more options, visit this group > athttp://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
