I should have been more clear on 'pasting binary characters'. At the url http://www.webmasterworld.com/forum39/1098.htm, they talk about an issue with binary characters. I copied the 'square character' text (which I have confirmed are binary) from that page into the Wizard example on the demo lift site.
As to JSON, our client side code is sending JSON containing what the user entered in the form. Based on the above, it sounds like we should strip the binary characters when processing the JSON commands. Thanks. Dan On Mar 5, 10:49 am, David Pollak <[email protected]> wrote: > On Fri, Mar 5, 2010 at 10:26 AM, Dano <[email protected]> wrote: > > I think I would like to amend my last post by asking if it is possible > > that the lift-json library support the ability to strip out binary > > characters since many times an application uses the results of JSON > > operations to render back to the client. > > Control characters are legal in JSON so it's not the place of the library to > strip out control characters. > > If you're sending JSON strings that are supposed to be valid XHTML, then > it's up to your app to make sure the Strings are valid. If you are using > Scala's XML literals and "toString", you are hitting a bug in the XML > libraries that render incorrect Strings. I have fixed the bug in the 2.8 > branch, but there's no practical way to go back and make the fix part of > 2.7.x. > > If you use Lift's AltXML library to convert the XML to String. Lift's > library also has the patch to ensure that XML -> String is valid per this > W3C page:http://www.w3.org/International/questions/qa-controls > > > > > > > Thanks. > > > Dan > > > On Mar 5, 9:53 am, Dano <[email protected]> wrote: > > > I can reproduce it in our application, but I think it is not > > > necessarily due to Lift. This is what I am trying to sort out. We > > > have client-side javascript which is sending JSON commands to the > > > server and things blow up once things come back from the server. In > > > this case, Lift is not responsible for the rendering so I would say > > > this is an application issue. > > > > I am poking at the demo lift application to try to flush out issues > > > common to the group and understand what is a framework issue and what > > > needs to be addressed by the application. > > > > Thanks. > > > > Dan > > > > On Mar 5, 9:47 am, Naftoli Gugenheim <[email protected]> wrote: > > > > > Can you reproduce the vulnerability in your own M3 app? > > > > > ------------------------------------- > > > > > Dano<[email protected]> wrote: > > > > > I would never claim to be astute. However, I did observe that > > > > demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the > > > > bottom of the page. I also observed that the Wizard example is still > > > > broken (paste binary characters into 'First Name' and then click the > > > > Next button). I have not yet registered for an account with Assembla > > > > but would be happy to file the bug. > > > > > Dan > > > > > On Mar 4, 7:33 pm, Ross Mellgren <[email protected]> wrote: > > > > > > Check dpp's response as of 8:01 > > > > > > -Ross > > > > > > On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: > > > > > > > What version is the demo running? > > > > > > > ------------------------------------- > > > > > > Dano<[email protected]> wrote: > > > > > > > Just saw that Lift 2.0-M3 was released. I looked to see if the > > > > > > vulnerability was still present in demo.liftweb.net and I am still > > > > > > able to generate exceptions in the browser when I paste binary > > > > > > characters in the textfields for the Wizard, Wizard Challenge, and > > Arc > > > > > > Challenge examples in the Misc section. > > > > > > > Don't know if this remaining problem is supposed to be handled by > > the > > > > > > application or framework, but thought I would make a post to alert > > the > > > > > > group. > > > > > > > Dan > > > > > > > On Feb 24, 11:49 am, Dano <[email protected]> wrote: > > > > > >> The recent scala days conference activity may have cause the > > updates > > > > > >> to this thread to escape notice. Just wondering if there is > > concern > > > > > >> about the remaining binary character problems I noted in my prior > > > > > >> post. > > > > > > >> Thanks in advance. > > > > > > >> Dan > > > > > > >> On Feb 22, 1:34 pm, Dano <[email protected]> wrote: > > > > > > >>> More information on this in case anyone is interested. If you go > > to > > > > > >>> theliftdemo website, it appears the issue with characters is > > mostly > > > > > >>> addressed except for the "Misc code" section. Specifically, the > > > > > >>> "Wizard", "Wizard Challenge" and "Arc Challenge #1" examples will > > > > > >>> generate XML parsing errors. > > > > > > >>> For these problems, I am not sure if the issue if the example or > > the > > > > > >>> framework. If the issue is with the example, it would be good to > > know > > > > > >>> whatLiftapps need to do to avoid getting bitten by binary > > characters > > > > > >>> entered into form fields. > > > > > > >>> Thanks in advance. > > > > > > >>> Dan > > > > > > >>> On Feb 17, 11:06 am, Dano <[email protected]> wrote: > > > > > > >>>> Hello, > > > > > > >>>> I was wondering if the fix for the control characters issue was > > > > > >>>> included in 2.0-M2. I just did a test with ourLiftapplication > > built > > > > > >>>> with 2.0-M2 and I am still seeing problems (i.e. javascript > > exceptions > > > > > >>>> - NS_ERROR_INVALID_POINTER). > > > > > > >>>> Thanks in advance. > > > > > > >>>> Dan > > > > > > >>>> On Feb 3, 9:08 am, David Pollak <[email protected]> > > wrote: > > > > > > >>>>> Thanks for pointing that out. There are other problems as > > well... I'll fix > > > > > >>>>> them (in both the Scala andLiftdiffs) > > > > > > >>>>> On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang < > > [email protected]> wrote: > > > > > >>>>>> I found that in the fix, \n is changed to \t, while \t to \n. > > Is this > > > > > >>>>>> desired behavior? > > > > > > >>>>>> Thank you, > > > > > > >>>>>> Feng > > > > > > >>>>>> On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri < > > [email protected] > > > > > >>>>>>> wrote: > > > > > > >>>>>>> 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. > > > > > > >>>>>>> 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked > > 1.0.x > > > > > >>>>>>> 'unsupported' yet. Forcing apps to move to 2.0-M2 just for > > this > > > > > >>>>>>> vulnerability fix isn't fun. > > > > > > >>>>>>> Cheers, Indrajit > > > > > > >>>>>>> On 03/02/10 3:34 PM, Timothy Perrett wrote: > > > > > > >>>>>>>> +1 > > > > > > >>>>>>>> Fix it in head, no need to back-port; M2 is only around the > > corner. > > > > > > >>>>>>>> Cheers, Tim > > > > > > >>>>>>>> On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: > > > > > > >>>>>>>> David Pollak<[email protected]> writes: > > > > > > >>>>>>>>> I'd like to get a sense of how important the community > > views this > > > > > >>>>>>>>>> defect. > > > > > >>>>>>>>>> Is it a "backport the fix to every milestone and release > > yesterday" or > > > > > >>>>>>>>>> is it > > > > > >>>>>>>>>> a "fix it in 2.0-M2" or someplace in between. > > > > > > >>>>>>>>> For me, it's fix it in 2.0-SNAPSHOT > > > > > > >>>>>>>>> /Jeppe > > > > > > >>>>>>>>> -- > > > > > >>>>>>>>> You received this message because you are subscribed to the > > Google > > > > > >>>>>>>>> Groups "Lift" group. > > > > > >>>>>>>>> To post to this group, send email to > > [email protected]. > > > > > >>>>>>>>> To unsubscribe from this group, send email to > > > > > >>>>>>>>> [email protected]<liftweb%[email protected] > > > > > >>>>>>>>> > > > <liftweb%[email protected]<liftweb%252bunsubscr...@googlegroup > > s.com>> > > > > > >>>>>>>>> . > > > > > >>>>>>>>> For more options, visit this group at > > > > > >>>>>>>>>http://groups.google.com/group/liftweb?hl=en. > > > > > > >>>>>>> -- > > > > > >>>>>>> You received this message because you are subscribed to the > > Google Groups > > > > > >>>>>>> "Lift" group. > > > > > >>>>>>> To post to this group, send email to > > [email protected]. > > > > > >>>>>>> To unsubscribe from this group, send email to > > > > > >>>>>>> [email protected]<liftweb%[email protected] > > > > > >>>>>>> > > > <liftweb%[email protected]<liftweb%252bunsubscr...@googlegroup > > s.com>> > > > > > >>>>>>> . > > > > > >>>>>>> For more options, visit this group at > > > > > >>>>>>>http://groups.google.com/group/liftweb?hl=en. > > > > > > >>>>>> -- > > > > > >>>>>> You received this message because you are subscribed to the > > Google Groups > > > > > >>>>>> "Lift" group. > > > > > >>>>>> To post to this group, send email to [email protected] > > . > > > > > >>>>>> To unsubscribe from this group, send email to > > > > > >>>>>> [email protected]<liftweb%[email protected] > > > > > >>>>>> > > > <liftweb%[email protected]<liftweb%252bunsubscr...@googlegroup > > s.com>> > > > > > >>>>>> . > > > > > >>>>>> For more options, visit this group at > > > > > >>>>>>http://groups.google.com/group/liftweb?hl=en. > > > > > > >>>>> -- > > > > > >>>>> Lift, the simply functional web frameworkhttp://liftweb.net > > > > > >>>>> Beginning Scalahttp://www.apress.com/book/view/1430219890 > > > > > >>>>> Follow me:http://twitter.com/dpp > > > > > >>>>> Surf the harmonics > > > > > > > -- > > > > > > You received this message because you are subscribed to the Google > > Groups "Lift" group. > > > > > > To post to this group, send email to [email protected]. > > > > > > To unsubscribe from this group, send email to > > [email protected]<liftweb%[email protected] > > > > > . > > > > > > For more options, visit this group athttp:// > > groups.google.com/group/liftweb?hl=en. > > > > > > > -- > > > > > > You received this message because you are subscribed to the Google > > Groups "Lift" group. > > > > > > To post to this group, send email to [email protected]. > > > > > > To unsubscribe from this group, send email to > > [email protected]<liftweb%[email protected] > > > > > . > > > > > > For more options, visit this group athttp:// > > groups.google.com/group/liftweb?hl=en. > > > > > -- > > > > You received this message because you are subscribed to the Google > > Groups "Lift" group. > > > > To post to this group, send email to [email protected]. > > > > To unsubscribe from this group, send email to > > [email protected]<liftweb%[email protected] > > > > > . > > > > For more options, visit this group athttp:// > > groups.google.com/group/liftweb?hl=en. > > > -- > > You received this message because you are subscribed to > > ... > > read more » -- You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
