Control characters in input can lead to Denial of Service attacks
Control characters in user input can lead that is displayed in Lift can lead to unparsible pages that contain that input. The fix is to filter all Text fields on output to insure they do not contain illegal characters.
Leave a comment
on 2010-02-06 13:52 *
By github.importer
Imported from GitHub: http://github.com/dpp/liftweb/issues/319/find
on 2010-02-24 12:42 *
By dpp
Type set to Defect
Component changed from None to WebKit
Milestone changed from Lift 2.0-M2 to Lift 2.0-M3
Priority changed from Normal (3) to Highest (1)
Scala inserts Atom[_] rather than Text when building XML and this means that making sure control chars are not in Text is not the complete solution.
(In revision:565ae6731775a671806cc44e7dfd933e3822e8bf) Closes #319. Added tests to make sure that PCData stuff is not molested by the enhanced additions to the search for control characters that might make it into XML
Branch: master
Branch: master
(In revision:4cea366fe4a71db6d9f1ef6650bdb782018777cf) Closes #319. Added tests to make sure that PCData stuff is not molested by the enhanced additions to the search for control characters that might make it into XML
Branch: master
Branch: master