#319
  • Created on
    2010-02-03 00:30
  • Reported by
    dpp
  • Worked hours
    1.0 hour
  • Status
    Fixed
  • Priority
    Highest (1)
  • Assigned to
    dpp
  • Milestone
    Lift 2.0-M3
  • Plan Level
    -
  • Due Date
    -

Attachments

Related Tickets

Add new subtask or bug

Control characters in input can lead to Denial of Service attacks

Control characters in user input can lead that is displayed in Lift can lead to unparsible pages that contain that input. The fix is to filter all Text fields on output to insure they do not contain illegal characters.
User picture
  on 2010-02-06 13:52 *
By github.importer
Imported from GitHub: http://github.com/dpp/liftweb/issues/319/find
User picture
  on 2010-02-10 13:53 *
By dpp
Milestone set to Lift 2.0-M2
User picture
  on 2010-02-24 12:40 *
By dpp
Status changed from Fixed to New
User picture
  on 2010-02-24 12:41 *
By dpp
Status changed from New to Accepted
User picture
  on 2010-02-24 12:42 *
By dpp
Type set to Defect
Component changed from None to WebKit
Milestone changed from Lift 2.0-M2 to Lift 2.0-M3
Priority changed from Normal (3) to Highest (1)
Scala inserts Atom[_] rather than Text when building XML and this means that making sure control chars are not in Text is not the complete solution.
User picture
  on 2010-02-25 13:38 *
By dpp
Status changed from Accepted to Test
Added a bunch of tests and a very narrow definition of what is run through our escaper.
User picture
  on 2010-02-25 16:32 *
By dpp
Status changed from Test to Fixed
(In revision:565ae6731775a671806cc44e7dfd933e3822e8bf) Closes #319. Added tests to make sure that PCData stuff is not molested by the enhanced additions to the search for control characters that might make it into XML

Branch: master
User picture
  on 2010-02-25 16:33 *
By dpp
(In revision:4cea366fe4a71db6d9f1ef6650bdb782018777cf) Closes #319. Added tests to make sure that PCData stuff is not molested by the enhanced additions to the search for control characters that might make it into XML

Branch: master