Discussion:
How to prevent HTML escaping?
(too old to reply)
Heiko Seeberger
2011-03-12 09:10:59 UTC
Permalink
Hi,

Supposed I have a text that contains already escaped HTML chars, e.g.
"Bla Bla"
If I bind this into a template, I get the ampersands escaped once
more: "Bla Bla"
How can I prevent this?

Heiko

Company: weiglewilczek.com
Blog: heikoseeberger.name
Follow me: twitter.com/hseeberger
OSGi on Scala: scalamodules.org
Lift, the simply functional web framework: liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through
Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Todd O'Bryan
2011-03-12 15:43:06 UTC
Permalink
If you parse it as XML and then bind it as a NodeSeq, rather than as a
String, it should work. (I think.)

Beware, of course, that you could also insert nasty <script> tags or other
evil things if you're not careful.

Todd

On Sat, Mar 12, 2011 at 4:10 AM, Heiko Seeberger <
Post by Heiko Seeberger
Hi,
Supposed I have a text that contains already escaped HTML chars, e.g.
&quot;Bla Bla&quot;
If I bind this into a template, I get the ampersands escaped once
more: &amp;quot;Bla Bla&amp;quot;
How can I prevent this?
Heiko
Company: weiglewilczek.com
Blog: heikoseeberger.name
Follow me: twitter.com/hseeberger
OSGi on Scala: scalamodules.org
Lift, the simply functional web framework: liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through
Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Ján Raska
2011-03-12 17:36:50 UTC
Permalink
If you parse it as XML and then bind it as a NodeSeq, rather than as a String, it should work. (I think.)
I don't think it'll work. Bind returns NodeSeq, so even if he uses String there, it should return NodeSeq by implicit conversions. It's actually stuff in scala.xml package, that does the escaping. To get unescaped HTML, you need to use scala.xml.Unparsed, but as said by Todd, beware of cross side scripting and other vulnerabilities
Beware, of course, that you could also insert nasty <script> tags or other evil things if you're not careful.
Todd
Hi,
Supposed I have a text that contains already escaped HTML chars, e.g. &quot;Bla Bla&quot;
If I bind this into a template, I get the ampersands escaped once more: &amp;quot;Bla Bla&amp;quot;
How can I prevent this?
Heiko
Company: weiglewilczek.com
Blog: heikoseeberger.name
Follow me: twitter.com/hseeberger
OSGi on Scala: scalamodules.org
Lift, the simply functional web framework: liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
David Pollak
2011-03-12 18:10:20 UTC
Permalink
On Sat, Mar 12, 2011 at 1:10 AM, Heiko Seeberger <
Post by Heiko Seeberger
Hi,
Supposed I have a text that contains already escaped HTML chars, e.g.
&quot;Bla Bla&quot;
If I bind this into a template, I get the ampersands escaped once
more: &amp;quot;Bla Bla&amp;quot;
How can I prevent this?
You can use scala.xml.Unparsed, but, BUT, ***BUT***, if the XHTML is
invalid, you'll get an error in the browser. If the XHTML/HTML comes from
an untrusted source (user generated content, content from an external
system), you are opening a tremendously huge security hole.
Post by Heiko Seeberger
Heiko
Company: weiglewilczek.com
Blog: heikoseeberger.name
Follow me: twitter.com/hseeberger
OSGi on Scala: scalamodules.org
Lift, the simply functional web framework: liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through
Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework http://liftweb.net
Simply Lift http://simply.liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Heiko Seeberger
2011-03-12 21:41:50 UTC
Permalink
I see the security related issue with Unparsed, but what's the alternative?

Heiko

Sent from my iPhone
Hi,
Supposed I have a text that contains already escaped HTML chars, e.g. &quot;Bla Bla&quot;
If I bind this into a template, I get the ampersands escaped once more: &amp;quot;Bla Bla&amp;quot;
How can I prevent this?
You can use scala.xml.Unparsed, but, BUT, ***BUT***, if the XHTML is invalid, you'll get an error in the browser. If the XHTML/HTML comes from an untrusted source (user generated content, content from an external system), you are opening a tremendously huge security hole.
Heiko
Company: weiglewilczek.com
Blog: heikoseeberger.name
Follow me: twitter.com/hseeberger
OSGi on Scala: scalamodules.org
Lift, the simply functional web framework: liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework http://liftweb.net
Simply Lift http://simply.liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
David Pollak
2011-03-12 21:45:26 UTC
Permalink
On Sat, Mar 12, 2011 at 1:41 PM, Heiko Seeberger <
Post by Heiko Seeberger
I see the security related issue with Unparsed, but what's the alternative?
Textile
Markdown

Never allow raw HTML to be communicated to your application, but allow a
markup format that captures a lot of the markup that you want, but has a
controlled conversion to HTML.
Post by Heiko Seeberger
Heiko
Sent from my iPhone
Hi,
Supposed I have a text that contains already escaped HTML chars, e.g. &quot;Bla Bla&quot;
If I bind this into a template, I get the ampersands escaped once
more: &amp;quot;Bla Bla&amp;quot;
How can I prevent this?
You can use scala.xml.Unparsed, but, BUT, ***BUT***, if the XHTML is
invalid, you'll get an error in the browser. If the XHTML/HTML comes from
an untrusted source (user generated content, content from an external
system), you are opening a tremendously huge security hole.
Heiko
Company: <http://weiglewilczek.com>weiglewilczek.com
Blog: heikoseeberger.name
Follow me: <http://twitter.com/hseeberger>twitter.com/hseeberger
OSGi on Scala: <http://scalamodules.org>scalamodules.org
Lift, the simply functional web framework: <http://liftweb.net>
liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting
through Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group, send email to
For more options, visit this group at
<http://groups.google.com/group/liftweb?hl=en>
http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework <http://liftweb.net>
http://liftweb.net
Simply Lift <http://simply.liftweb.net>http://simply.liftweb.net
Beginning Scala <http://www.apress.com/book/view/1430219890>
http://www.apress.com/book/view/1430219890
Follow me: <http://twitter.com/dpp>http://twitter.com/dpp
Blog: <http://goodstuff.im>http://goodstuff.im
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im
Surf the harmonics
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Ján Raska
2011-03-13 11:45:01 UTC
Permalink
Well, as I said in another thread, usage of Textile and Markdown are rather limited. To run a full featured blog or CMS that allows its user to edit page with a high detail, more then a lightweight markup is needed. So the question would be, if not to use HTML, is there any markup language that allows to do pretty much the same as HTML, includin CSS etc. but in safe way?
Post by Heiko Seeberger
I see the security related issue with Unparsed, but what's the alternative?
Textile
Markdown
Never allow raw HTML to be communicated to your application, but allow a markup format that captures a lot of the markup that you want, but has a controlled conversion to HTML.
Heiko
Sent from my iPhone
Hi,
Supposed I have a text that contains already escaped HTML chars, e.g. &quot;Bla Bla&quot;
If I bind this into a template, I get the ampersands escaped once more: &amp;quot;Bla Bla&amp;quot;
How can I prevent this?
You can use scala.xml.Unparsed, but, BUT, ***BUT***, if the XHTML is invalid, you'll get an error in the browser. If the XHTML/HTML comes from an untrusted source (user generated content, content from an external system), you are opening a tremendously huge security hole.
Heiko
Company: weiglewilczek.com
Blog: heikoseeberger.name
Follow me: twitter.com/hseeberger
OSGi on Scala: scalamodules.org
Lift, the simply functional web framework: liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework http://liftweb.net
Simply Lift http://simply.liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im
Surf the harmonics
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Debilski
2011-03-13 12:39:11 UTC
Permalink
Post by Ján Raska
Well, as I said in another thread, usage of Textile and Markdown are rather limited. To run a full featured blog or CMS that allows its user to edit page with a high detail, more then a lightweight markup is needed. So the question would be, if not to use HTML, is there any markup language that allows to do pretty much the same as HTML, includin CSS etc. but in safe way?
If it’s a more or less trusted source, you could maybe run the given
HTML or XML through a parser (so, either Scala’s XML or the HTML5
parser which would also fix some possible invalid markup) and then
have a whitelist of tags and attributes which you want to keep.

This will open the possibility of breaking the design (but not so much
by accident, if you check that the XML is valid and all tags close
properly). I’m not sure about security issues, though.
Post by Ján Raska
Post by Heiko Seeberger
I see the security related issue with Unparsed, but what's the alternative?
Textile
Markdown
Never allow raw HTML to be communicated to your application, but allow a markup format that captures a lot of the markup that you want, but has a controlled conversion to HTML.
Heiko
Sent from my iPhone
Hi,
Supposed I have a text that contains already escaped HTML chars, e.g. &quot;Bla Bla&quot;
If I bind this into a template, I get the ampersands escaped once more: &amp;quot;Bla Bla&amp;quot;
How can I prevent this?
You can use scala.xml.Unparsed, but, BUT, ***BUT***, if the XHTML is invalid, you'll get an error in the browser.  If the XHTML/HTML comes from an untrusted source (user generated content, content from an external system), you are opening a tremendously huge security hole.
Heiko
Company: weiglewilczek.com
Blog: heikoseeberger.name
Follow me: twitter.com/hseeberger
OSGi on Scala: scalamodules.org
Lift, the simply functional web framework: liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group athttp://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web frameworkhttp://liftweb.net
Simply Lifthttp://simply.liftweb.net
Beginning Scalahttp://www.apress.com/book/view/1430219890
Follow me:http://twitter.com/dpp
Blog:http://goodstuff.im
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group athttp://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group athttp://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web frameworkhttp://liftweb.net
Beginning Scalahttp://www.apress.com/book/view/1430219890
Follow me:http://twitter.com/dpp
Blog:http://goodstuff.im
Surf the harmonics
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group athttp://groups.google.com/group/liftweb?hl=en.
 smime.p7s
5KAnzeigenHerunterladen
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
AGYNAMIX Torsten Uhlmann
2011-03-13 12:39:34 UTC
Permalink
The people at Shopify.com have created their own markup language (http://wiki.shopify.com/Liquid) which is used to design store templates and stuff. I don't know much about it, I just stumbled upon it a while ago.

Torsten.
Post by Ján Raska
Well, as I said in another thread, usage of Textile and Markdown are rather limited. To run a full featured blog or CMS that allows its user to edit page with a high detail, more then a lightweight markup is needed. So the question would be, if not to use HTML, is there any markup language that allows to do pretty much the same as HTML, includin CSS etc. but in safe way?
Post by Heiko Seeberger
I see the security related issue with Unparsed, but what's the alternative?
Textile
Markdown
Never allow raw HTML to be communicated to your application, but allow a markup format that captures a lot of the markup that you want, but has a controlled conversion to HTML.
Heiko
Sent from my iPhone
Hi,
Supposed I have a text that contains already escaped HTML chars, e.g. &quot;Bla Bla&quot;
If I bind this into a template, I get the ampersands escaped once more: &amp;quot;Bla Bla&amp;quot;
How can I prevent this?
You can use scala.xml.Unparsed, but, BUT, ***BUT***, if the XHTML is invalid, you'll get an error in the browser. If the XHTML/HTML comes from an untrusted source (user generated content, content from an external system), you are opening a tremendously huge security hole.
Heiko
Company: weiglewilczek.com
Blog: heikoseeberger.name
Follow me: twitter.com/hseeberger
OSGi on Scala: scalamodules.org
Lift, the simply functional web framework: liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework http://liftweb.net
Simply Lift http://simply.liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im
Surf the harmonics
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
AGYNAMIX(R). Passionate Software.
Inh. Torsten Uhlmann | Buchenweg 5 | 09380 Thalheim
Phone: +49 3721 273445
Fax: +49 3721 273446
Mobile: +49 151 12412427
Web: http://www.agynamix.de
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Stefan Langer
2011-03-14 10:12:12 UTC
Permalink
I'd say no. As soon as you allow scripting you are out of luck as this will
enable anybody to manipulate your page with the same rights as the user
using it.

I wonder what features you need for editing that markdown or textile do not
support? Sounds more like you need templates in templates and in this case I
do not see a safe way of doing it without having the risk of getting
insecure content into the page.

-Stefan
Post by Ján Raska
Well, as I said in another thread, usage of Textile and Markdown are rather
limited. To run a full featured blog or CMS that allows its user to edit
page with a high detail, more then a lightweight markup is needed. So the
question would be, if not to use HTML, is there any markup language that
allows to do pretty much the same as HTML, includin CSS etc. but in safe
way?
On Sat, Mar 12, 2011 at 1:41 PM, Heiko Seeberger <
Post by Heiko Seeberger
I see the security related issue with Unparsed, but what's the alternative?
Textile
Markdown
Never allow raw HTML to be communicated to your application, but allow a
markup format that captures a lot of the markup that you want, but has a
controlled conversion to HTML.
Post by Heiko Seeberger
Heiko
Sent from my iPhone
Post by Heiko Seeberger
Hi,
Supposed I have a text that contains already escaped HTML chars, e.g.
&quot;Bla Bla&quot;
If I bind this into a template, I get the ampersands escaped once
more: &amp;quot;Bla Bla&amp;quot;
How can I prevent this?
You can use scala.xml.Unparsed, but, BUT, ***BUT***, if the XHTML is
invalid, you'll get an error in the browser. If the XHTML/HTML comes from
an untrusted source (user generated content, content from an external
system), you are opening a tremendously huge security hole.
Post by Heiko Seeberger
Heiko
Company: <http://weiglewilczek.com/>weiglewilczek.com
Blog: heikoseeberger.name
Follow me: <http://twitter.com/hseeberger>twitter.com/hseeberger
OSGi on Scala: <http://scalamodules.org/>scalamodules.org
Lift, the simply functional web framework: <http://liftweb.net/>
liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting
through Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group, send email to
For more options, visit this group at
<http://groups.google.com/group/liftweb?hl=en>
http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework <http://liftweb.net/>
http://liftweb.net
Simply Lift <http://simply.liftweb.net/>http://simply.liftweb.net
Beginning Scala <http://www.apress.com/book/view/1430219890>
http://www.apress.com/book/view/1430219890
Follow me: <http://twitter.com/dpp>http://twitter.com/dpp
Blog: <http://goodstuff.im/>http://goodstuff.im
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im
Surf the harmonics
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Harry-Anton Talvik
2011-03-15 16:37:46 UTC
Permalink
Hi,

On Mon, Mar 14, 2011 at 12:12, Stefan Langer
I'd say no. As soon as you allow scripting you are out of luck as this will enable anybody to manipulate your page with the same rights as the user using it.
I'd say take a look of google-caja, maybe it's something that's useful for you:
http://code.google.com/p/google-caja/
A source-to-source translator for securing Javascript-based web content

In addition to main demo at
http://caja.appspot.com/
there is also the Corkboard Demo which is ".. intended to demonstrate
how to straightforwardly use Caja in a web application as a “better
HTML sanitizer”".

The Corkboard Demo and discussion:
http://caja-corkboard.appspot.com/
http://code.google.com/p/google-caja/wiki/CorkboardDemo


All the best,
Harry-A.
I wonder what features you need for editing that markdown or textile do not support? Sounds more like you need templates in templates and in this case I do not see a safe way of doing it without having the risk of getting insecure content into the page.
-Stefan
Post by Ján Raska
Well, as I said in another thread, usage of Textile and Markdown are rather limited. To run a full featured blog or CMS that allows its user to edit page with a high detail, more then a lightweight markup is needed. So the question would be, if not to use HTML, is there any markup language that allows to do pretty much the same as HTML, includin CSS etc. but in safe way?
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Ján Raska
2011-03-15 21:26:33 UTC
Permalink
I'd say no. As soon as you allow scripting you are out of luck as this will enable anybody to manipulate your page with the same rights as the user using it.
I wonder what features you need for editing that markdown or textile do not support? Sounds more like you need templates in templates and in this case I do not see a safe way of doing it without having the risk of getting insecure content into the page.
No, I don't need templates, I place those manualy onto a server. I need fully featured page editing. For example, if I have news site, it's common to place different information boxes within the article. But my clients want to have the boxes in different styles (color, heading etc.) depending on the type of content. It's quite common, that there are 2 or 3 different boxes within the article. So I need to place different CSS classes in DIV tags to style it properly. Currently I have plugins in my CKEditor, that allow a client to insert those boxes in very user friendly way.

Also very simple stuff such float attribute of image. I really looked for it very hard in markdown specification, but couldn't find it. And in html it's as simple as putting in a simple CSS class. And many other things. To do any CSS styling or to allow user to place a component on a site on demand, allowing to manipulate certain parts of site through predefined AJAX calls I simply need to put "id" and "class" attributes into my HTML. I can do that very well with customized CKEditor. I can't do it with markdown, nor textile.

So to me, it seems that lightweight markup is good for discussion forums, emails, possibly blogs (with certain limitation for users), but not for fully featured CMS or news editing system.
-Stefan
Well, as I said in another thread, usage of Textile and Markdown are rather limited. To run a full featured blog or CMS that allows its user to edit page with a high detail, more then a lightweight markup is needed. So the question would be, if not to use HTML, is there any markup language that allows to do pretty much the same as HTML, includin CSS etc. but in safe way?
Post by Heiko Seeberger
I see the security related issue with Unparsed, but what's the alternative?
Textile
Markdown
Never allow raw HTML to be communicated to your application, but allow a markup format that captures a lot of the markup that you want, but has a controlled conversion to HTML.
Heiko
Sent from my iPhone
Hi,
Supposed I have a text that contains already escaped HTML chars, e.g. &quot;Bla Bla&quot;
If I bind this into a template, I get the ampersands escaped once more: &amp;quot;Bla Bla&amp;quot;
How can I prevent this?
You can use scala.xml.Unparsed, but, BUT, ***BUT***, if the XHTML is invalid, you'll get an error in the browser. If the XHTML/HTML comes from an untrusted source (user generated content, content from an external system), you are opening a tremendously huge security hole.
Heiko
Company: weiglewilczek.com
Blog: heikoseeberger.name
Follow me: twitter.com/hseeberger
OSGi on Scala: scalamodules.org
Lift, the simply functional web framework: liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework http://liftweb.net
Simply Lift http://simply.liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im
Surf the harmonics
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Peter Robinett
2011-03-14 12:07:27 UTC
Permalink
Maybe I'm missing something but wouldn't this work?

scala> val x = scala.xml.XML.loadString("<p>He said, &quot;<test:saying
/>&quot;</p>")
x: scala.xml.Elem = <p>He said, &quot;<test:saying></test:saying>&quot;</p>
scala> Helpers.bind("test", x, "saying" -> "Cool!")
res0: scala.xml.NodeSeq = NodeSeq(<p>He said, &quot;Cool!&quot;</p>)
scala> res0.toString
res1: String = <p>He said, &quot;Cool!&quot;</p>

Peter
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Heiko Seeberger
2011-03-14 18:26:21 UTC
Permalink
Good idea, but the strings I feed into the loadString method cause an error:

Caught and thrown by:
Message: org.xml.sax.SAXParseException: Content is not allowed in prolog.
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:195)
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:174)
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:388)
com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(XMLScanner.java:1414)
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:1039)
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648)
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808)
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119)
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
javax.xml.parsers.SAXParser.parse(SAXParser.java:395)
scala.xml.factory.XMLLoader$class.loadXML(XMLLoader.scala:40)
scala.xml.XML$.loadXML(XML.scala:40)
scala.xml.factory.XMLLoader$class.loadString(XMLLoader.scala:59)
scala.xml.XML$.loadString(XML.scala:40)
org.scalatip.snippet.ShowScalaTips$.renderScalaTip$1(ShowScalaTips.scala:31)
org.scalatip.snippet.ShowScalaTips$$anonfun$render$1.apply(ShowScalaTips.scala:42)
org.scalatip.snippet.ShowScalaTips$$anonfun$render$1.apply(ShowScalaTips.scala:42)
scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:206)
scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:206)
scala.collection.LinearSeqOptimized$class.foreach(LinearSeqOptimized.scala:61)
scala.collection.immutable.List.foreach(List.scala:45)
scala.collection.TraversableLike$class.map(TraversableLike.scala:206)
scala.collection.immutable.List.map(List.scala:45)
org.scalatip.snippet.ShowScalaTips$.render(ShowScalaTips.scala:42)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82$$anonfun$apply$84$$anonfun$gotIt$1$3.apply(LiftSession.scala:1473)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82$$anonfun$apply$84$$anonfun$gotIt$1$3.apply(LiftSession.scala:1471)
net.liftweb.common.Full.map(Box.scala:398)
net.liftweb.common.Box$WithFilter.map(Box.scala:209)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82$$anonfun$apply$84.gotIt$1(LiftSession.scala:1471)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82$$anonfun$apply$84.apply(LiftSession.scala:1523)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82$$anonfun$apply$84.apply(LiftSession.scala:1441)
net.liftweb.common.EmptyBox.openOr(Box.scala:465)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82.apply(LiftSession.scala:1441)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82.apply(LiftSession.scala:1441)
net.liftweb.common.EmptyBox.openOr(Box.scala:465)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79.apply(LiftSession.scala:1440)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79.apply(LiftSession.scala:1440)
net.liftweb.http.S$.doSnippet(S.scala:1917)
net.liftweb.http.LiftSession$$anonfun$27.apply(LiftSession.scala:1438)
net.liftweb.http.LiftSession$$anonfun$27.apply(LiftSession.scala:1437)
net.liftweb.common.Full.map(Box.scala:398)
net.liftweb.http.LiftSession.net
$liftweb$http$LiftSession$$processSnippet(LiftSession.scala:1437)
net.liftweb.http.LiftSession$$anonfun$_defaultLiftTagProcessing$1.apply(LiftSession.scala:1633)
net.liftweb.http.LiftSession$$anonfun$_defaultLiftTagProcessing$1.apply(LiftSession.scala:1621)
net.liftweb.util.NamedPF.apply(NamedPartialFunction.scala:36)
net.liftweb.util.NamedPF$.apply(NamedPartialFunction.scala:82)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91$$anonfun$apply$92$$anonfun$apply$93.apply(LiftSession.scala:1723)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91$$anonfun$apply$92$$anonfun$apply$93.apply(LiftSession.scala:1722)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$.setVars(S.scala:1735)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91$$anonfun$apply$92.apply(LiftSession.scala:1721)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91$$anonfun$apply$92.apply(LiftSession.scala:1721)
net.liftweb.http.S$.withAttrs(S.scala:1760)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91.apply(LiftSession.scala:1720)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91.apply(LiftSession.scala:1720)
net.liftweb.http.S$.doSnippet(S.scala:1917)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90.apply(LiftSession.scala:1719)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90.apply(LiftSession.scala:1719)
net.liftweb.http.LiftSession.net
$liftweb$http$LiftSession$$processOrDefer(LiftSession.scala:1706)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1718)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1713)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.Iterator$class.foreach(Iterator.scala:631)
scala.collection.LinearSeqLike$$anon$1.foreach(LinearSeqLike.scala:52)
scala.collection.IterableLike$class.foreach(IterableLike.scala:79)
scala.xml.NodeSeq.foreach(NodeSeq.scala:43)
scala.collection.TraversableLike$class.flatMap(TraversableLike.scala:227)
scala.xml.NodeSeq.flatMap(NodeSeq.scala:43)
net.liftweb.http.LiftSession.processSurroundAndInclude(LiftSession.scala:1713)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1735)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1713)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.Iterator$class.foreach(Iterator.scala:631)
scala.collection.LinearSeqLike$$anon$1.foreach(LinearSeqLike.scala:52)
scala.collection.IterableLike$class.foreach(IterableLike.scala:79)
scala.xml.NodeSeq.foreach(NodeSeq.scala:43)
scala.collection.TraversableLike$class.flatMap(TraversableLike.scala:227)
scala.xml.NodeSeq.flatMap(NodeSeq.scala:43)
net.liftweb.http.LiftSession.processSurroundAndInclude(LiftSession.scala:1713)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1735)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1713)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.Iterator$class.foreach(Iterator.scala:631)
scala.collection.LinearSeqLike$$anon$1.foreach(LinearSeqLike.scala:52)
scala.collection.IterableLike$class.foreach(IterableLike.scala:79)
scala.xml.NodeSeq.foreach(NodeSeq.scala:43)
scala.collection.TraversableLike$class.flatMap(TraversableLike.scala:227)
scala.xml.NodeSeq.flatMap(NodeSeq.scala:43)
net.liftweb.http.LiftSession.processSurroundAndInclude(LiftSession.scala:1713)
net.liftweb.http.LiftSession$$anonfun$processTemplate$2$$anonfun$apply$44.apply(LiftSession.scala:946)
net.liftweb.http.LiftSession$$anonfun$processTemplate$2$$anonfun$apply$44.apply(LiftSession.scala:943)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.LiftSession$$anonfun$processTemplate$2.apply(LiftSession.scala:943)
net.liftweb.http.LiftSession$$anonfun$processTemplate$2.apply(LiftSession.scala:942)
net.liftweb.common.Full.map(Box.scala:398)
net.liftweb.http.LiftSession.processTemplate(LiftSession.scala:941)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45$$anonfun$apply$46$$anonfun$apply$49.apply(LiftSession.scala:1035)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45$$anonfun$apply$46$$anonfun$apply$49.apply(LiftSession.scala:1035)
net.liftweb.common.EmptyBox.or(Box.scala:467)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45$$anonfun$apply$46.apply(LiftSession.scala:1034)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45$$anonfun$apply$46.apply(LiftSession.scala:1034)
net.liftweb.util.StackableMaker$class.doWith(Maker.scala:141)
net.liftweb.http.Factory$FactoryMaker.doWith(Factory.scala:37)
net.liftweb.util.StackableMaker$class.doWith(Maker.scala:135)
net.liftweb.http.Factory$FactoryMaker.doWith(Factory.scala:37)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45.apply(LiftSession.scala:1033)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45.apply(LiftSession.scala:1029)
net.liftweb.http.LiftSession.net
$liftweb$http$LiftSession$$checkStatelessInSiteMap(LiftSession.scala:973)
net.liftweb.http.LiftSession$$anonfun$19.apply(LiftSession.scala:1029)
net.liftweb.http.LiftSession$$anonfun$19.apply(LiftSession.scala:1027)
net.liftweb.common.EmptyBox.or(Box.scala:467)
net.liftweb.http.LiftSession.processRequest(LiftSession.scala:1027)
net.liftweb.http.LiftServlet.net
$liftweb$http$LiftServlet$$dispatchStatefulRequest(LiftServlet.scala:314)
net.liftweb.http.LiftServlet$$anonfun$doSession$1$1.apply(LiftServlet.scala:191)
net.liftweb.http.LiftServlet$$anonfun$doSession$1$1.apply(LiftServlet.scala:191)
net.liftweb.http.S$.net$liftweb$http$S$$wrapQuery(S.scala:1169)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_nest2InnerInit$1$$anonfun$apply$29.apply(S.scala:1309)
net.liftweb.http.S$.net$liftweb$http$S$$doAround(S.scala:1106)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_nest2InnerInit$1.apply(S.scala:1307)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$.net$liftweb$http$S$$_nest2InnerInit(S.scala:1306)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_innerInit$1$$anonfun$apply$31$$anonfun$apply$32$$anonfun$apply$33$$anonfun$apply$34.apply(S.scala:1332)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$.withReq(S.scala:1341)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_innerInit$1$$anonfun$apply$31$$anonfun$apply$32$$anonfun$apply$33.apply(S.scala:1331)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_innerInit$1$$anonfun$apply$31$$anonfun$apply$32.apply(S.scala:1330)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_innerInit$1$$anonfun$apply$31.apply(S.scala:1329)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_innerInit$1.apply(S.scala:1328)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$.net$liftweb$http$S$$_innerInit(S.scala:1327)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1$$anonfun$apply$41$$anonfun$apply$42$$anonfun$apply$43$$anonfun$apply$44$$anonfun$apply$45.apply(S.scala:1381)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1$$anonfun$apply$41$$anonfun$apply$42$$anonfun$apply$43$$anonfun$apply$44.apply(S.scala:1379)
net.liftweb.http.CoreRequestVarHandler$class.apply(Vars.scala:507)
net.liftweb.http.RequestVarHandler$.apply(Vars.scala:428)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1$$anonfun$apply$41$$anonfun$apply$42$$anonfun$apply$43.apply(S.scala:1378)
net.liftweb.http.CoreRequestVarHandler$class.apply(Vars.scala:507)
net.liftweb.http.TransientRequestVarHandler$.apply(Vars.scala:432)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1$$anonfun$apply$41$$anonfun$apply$42.apply(S.scala:1377)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1$$anonfun$apply$41.apply(S.scala:1376)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1.apply(S.scala:1375)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$.net$liftweb$http$S$$_init(S.scala:1374)
net.liftweb.http.S$.init(S.scala:991)
net.liftweb.http.LiftServlet.doSession$1(LiftServlet.scala:190)
net.liftweb.http.LiftServlet.doService(LiftServlet.scala:200)
net.liftweb.http.LiftServlet$$anonfun$doIt$1$1.apply$mcZ$sp(LiftServlet.scala:86)
net.liftweb.http.LiftServlet$$anonfun$doIt$1$1.apply(LiftServlet.scala:86)
net.liftweb.http.LiftServlet$$anonfun$doIt$1$1.apply(LiftServlet.scala:86)
net.liftweb.util.TimeHelpers$class.calcTime(TimeHelpers.scala:329)
net.liftweb.util.Helpers$.calcTime(Helpers.scala:34)
net.liftweb.util.TimeHelpers$class.logTime(TimeHelpers.scala:338)
net.liftweb.util.Helpers$.logTime(Helpers.scala:34)
net.liftweb.http.LiftServlet.doIt$1(LiftServlet.scala:85)
net.liftweb.http.LiftServlet.service(LiftServlet.scala:93)
net.liftweb.http.provider.HTTPProvider$$anonfun$service$2.apply$mcV$sp(HTTPProvider.scala:66)
net.liftweb.http.provider.HTTPProvider$$anonfun$service$2.apply(HTTPProvider.scala:65)
net.liftweb.http.provider.HTTPProvider$$anonfun$service$2.apply(HTTPProvider.scala:65)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.URLRewriter$.doWith(Req.scala:934)
net.liftweb.http.provider.HTTPProvider$class.service(HTTPProvider.scala:64)
net.liftweb.http.LiftFilter.service(LiftServlet.scala:635)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1$$anonfun$apply$mcV$sp$1.apply$mcV$sp(ServletFilterProvider.scala:67)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1$$anonfun$apply$mcV$sp$1.apply(ServletFilterProvider.scala:62)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1$$anonfun$apply$mcV$sp$1.apply(ServletFilterProvider.scala:62)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13$$anonfun$apply$14$$anonfun$apply$15.apply(Vars.scala:513)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13$$anonfun$apply$14.apply(Vars.scala:512)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13.apply(Vars.scala:511)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12.apply(Vars.scala:510)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$class.apply(Vars.scala:509)
net.liftweb.http.RequestVarHandler$.apply(Vars.scala:428)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1.apply$mcV$sp(ServletFilterProvider.scala:61)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1.apply(ServletFilterProvider.scala:61)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1.apply(ServletFilterProvider.scala:61)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13$$anonfun$apply$14$$anonfun$apply$15.apply(Vars.scala:513)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13$$anonfun$apply$14.apply(Vars.scala:512)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13.apply(Vars.scala:511)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12.apply(Vars.scala:510)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$class.apply(Vars.scala:509)
net.liftweb.http.TransientRequestVarHandler$.apply(Vars.scala:432)
net.liftweb.http.provider.servlet.ServletFilterProvider$class.doFilter(ServletFilterProvider.scala:60)
net.liftweb.http.LiftFilter.doFilter(LiftServlet.scala:635)
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1190)
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:424)
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:494)
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:931)
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:361)
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:867)
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
org.eclipse.jetty.server.Server.handle(Server.java:337)
org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:581)
org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1005)
org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:560)
org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:222)
org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:417)
org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:474)
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:437)
java.lang.Thread.run(Thread.java:680)
Post by Peter Robinett
Maybe I'm missing something but wouldn't this work?
scala> val x = scala.xml.XML.loadString("<p>He said, &quot;<test:saying
/>&quot;</p>")
x: scala.xml.Elem = <p>He said, &quot;<test:saying></test:saying>&quot;</p>
scala> Helpers.bind("test", x, "saying" -> "Cool!")
res0: scala.xml.NodeSeq = NodeSeq(<p>He said, &quot;Cool!&quot;</p>)
scala> res0.toString
res1: String = <p>He said, &quot;Cool!&quot;</p>
Peter
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/liftweb?hl=en.
--
Heiko Seeberger

Company: weiglewilczek.com
Blog: heikoseeberger.name
Follow me: twitter.com/hseeberger
OSGi on Scala: scalamodules.org
Lift, the simply functional web framework: liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through
Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Christopher Taylor
2011-03-14 20:42:40 UTC
Permalink
it's because your string doesn't have a root element. Try the following instead:
val x = scala.xml.XML.loadString("<unused>" + yourString + "</unused>") .child

hope that helps,
--Chris


On Mon, Mar 14, 2011 at 7:26 PM, Heiko Seeberger
Post by Heiko Seeberger
Message: org.xml.sax.SAXParseException: Content is not allowed in prolog.
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:195)
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:174)
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:388)
com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(XMLScanner.java:1414)
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:1039)
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648)
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808)
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119)
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
javax.xml.parsers.SAXParser.parse(SAXParser.java:395)
scala.xml.factory.XMLLoader$class.loadXML(XMLLoader.scala:40)
scala.xml.XML$.loadXML(XML.scala:40)
scala.xml.factory.XMLLoader$class.loadString(XMLLoader.scala:59)
scala.xml.XML$.loadString(XML.scala:40)
org.scalatip.snippet.ShowScalaTips$.renderScalaTip$1(ShowScalaTips.scala:31)
org.scalatip.snippet.ShowScalaTips$$anonfun$render$1.apply(ShowScalaTips.scala:42)
org.scalatip.snippet.ShowScalaTips$$anonfun$render$1.apply(ShowScalaTips.scala:42)
scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:206)
scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:206)
scala.collection.LinearSeqOptimized$class.foreach(LinearSeqOptimized.scala:61)
scala.collection.immutable.List.foreach(List.scala:45)
scala.collection.TraversableLike$class.map(TraversableLike.scala:206)
scala.collection.immutable.List.map(List.scala:45)
org.scalatip.snippet.ShowScalaTips$.render(ShowScalaTips.scala:42)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82$$anonfun$apply$84$$anonfun$gotIt$1$3.apply(LiftSession.scala:1473)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82$$anonfun$apply$84$$anonfun$gotIt$1$3.apply(LiftSession.scala:1471)
net.liftweb.common.Full.map(Box.scala:398)
net.liftweb.common.Box$WithFilter.map(Box.scala:209)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82$$anonfun$apply$84.gotIt$1(LiftSession.scala:1471)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82$$anonfun$apply$84.apply(LiftSession.scala:1523)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82$$anonfun$apply$84.apply(LiftSession.scala:1441)
net.liftweb.common.EmptyBox.openOr(Box.scala:465)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82.apply(LiftSession.scala:1441)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79$$anonfun$apply$82.apply(LiftSession.scala:1441)
net.liftweb.common.EmptyBox.openOr(Box.scala:465)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79.apply(LiftSession.scala:1440)
net.liftweb.http.LiftSession$$anonfun$27$$anonfun$apply$79.apply(LiftSession.scala:1440)
net.liftweb.http.S$.doSnippet(S.scala:1917)
net.liftweb.http.LiftSession$$anonfun$27.apply(LiftSession.scala:1438)
net.liftweb.http.LiftSession$$anonfun$27.apply(LiftSession.scala:1437)
net.liftweb.common.Full.map(Box.scala:398)
net.liftweb.http.LiftSession.net$liftweb$http$LiftSession$$processSnippet(LiftSession.scala:1437)
net.liftweb.http.LiftSession$$anonfun$_defaultLiftTagProcessing$1.apply(LiftSession.scala:1633)
net.liftweb.http.LiftSession$$anonfun$_defaultLiftTagProcessing$1.apply(LiftSession.scala:1621)
net.liftweb.util.NamedPF.apply(NamedPartialFunction.scala:36)
net.liftweb.util.NamedPF$.apply(NamedPartialFunction.scala:82)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91$$anonfun$apply$92$$anonfun$apply$93.apply(LiftSession.scala:1723)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91$$anonfun$apply$92$$anonfun$apply$93.apply(LiftSession.scala:1722)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$.setVars(S.scala:1735)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91$$anonfun$apply$92.apply(LiftSession.scala:1721)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91$$anonfun$apply$92.apply(LiftSession.scala:1721)
net.liftweb.http.S$.withAttrs(S.scala:1760)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91.apply(LiftSession.scala:1720)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90$$anonfun$apply$91.apply(LiftSession.scala:1720)
net.liftweb.http.S$.doSnippet(S.scala:1917)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90.apply(LiftSession.scala:1719)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1$$anonfun$apply$90.apply(LiftSession.scala:1719)
net.liftweb.http.LiftSession.net$liftweb$http$LiftSession$$processOrDefer(LiftSession.scala:1706)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1718)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1713)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.Iterator$class.foreach(Iterator.scala:631)
scala.collection.LinearSeqLike$$anon$1.foreach(LinearSeqLike.scala:52)
scala.collection.IterableLike$class.foreach(IterableLike.scala:79)
scala.xml.NodeSeq.foreach(NodeSeq.scala:43)
scala.collection.TraversableLike$class.flatMap(TraversableLike.scala:227)
scala.xml.NodeSeq.flatMap(NodeSeq.scala:43)
net.liftweb.http.LiftSession.processSurroundAndInclude(LiftSession.scala:1713)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1735)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1713)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.Iterator$class.foreach(Iterator.scala:631)
scala.collection.LinearSeqLike$$anon$1.foreach(LinearSeqLike.scala:52)
scala.collection.IterableLike$class.foreach(IterableLike.scala:79)
scala.xml.NodeSeq.foreach(NodeSeq.scala:43)
scala.collection.TraversableLike$class.flatMap(TraversableLike.scala:227)
scala.xml.NodeSeq.flatMap(NodeSeq.scala:43)
net.liftweb.http.LiftSession.processSurroundAndInclude(LiftSession.scala:1713)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1735)
net.liftweb.http.LiftSession$$anonfun$processSurroundAndInclude$1.apply(LiftSession.scala:1713)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:227)
scala.collection.Iterator$class.foreach(Iterator.scala:631)
scala.collection.LinearSeqLike$$anon$1.foreach(LinearSeqLike.scala:52)
scala.collection.IterableLike$class.foreach(IterableLike.scala:79)
scala.xml.NodeSeq.foreach(NodeSeq.scala:43)
scala.collection.TraversableLike$class.flatMap(TraversableLike.scala:227)
scala.xml.NodeSeq.flatMap(NodeSeq.scala:43)
net.liftweb.http.LiftSession.processSurroundAndInclude(LiftSession.scala:1713)
net.liftweb.http.LiftSession$$anonfun$processTemplate$2$$anonfun$apply$44.apply(LiftSession.scala:946)
net.liftweb.http.LiftSession$$anonfun$processTemplate$2$$anonfun$apply$44.apply(LiftSession.scala:943)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.LiftSession$$anonfun$processTemplate$2.apply(LiftSession.scala:943)
net.liftweb.http.LiftSession$$anonfun$processTemplate$2.apply(LiftSession.scala:942)
net.liftweb.common.Full.map(Box.scala:398)
net.liftweb.http.LiftSession.processTemplate(LiftSession.scala:941)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45$$anonfun$apply$46$$anonfun$apply$49.apply(LiftSession.scala:1035)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45$$anonfun$apply$46$$anonfun$apply$49.apply(LiftSession.scala:1035)
net.liftweb.common.EmptyBox.or(Box.scala:467)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45$$anonfun$apply$46.apply(LiftSession.scala:1034)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45$$anonfun$apply$46.apply(LiftSession.scala:1034)
net.liftweb.util.StackableMaker$class.doWith(Maker.scala:141)
net.liftweb.http.Factory$FactoryMaker.doWith(Factory.scala:37)
net.liftweb.util.StackableMaker$class.doWith(Maker.scala:135)
net.liftweb.http.Factory$FactoryMaker.doWith(Factory.scala:37)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45.apply(LiftSession.scala:1033)
net.liftweb.http.LiftSession$$anonfun$19$$anonfun$apply$45.apply(LiftSession.scala:1029)
net.liftweb.http.LiftSession.net$liftweb$http$LiftSession$$checkStatelessInSiteMap(LiftSession.scala:973)
net.liftweb.http.LiftSession$$anonfun$19.apply(LiftSession.scala:1029)
net.liftweb.http.LiftSession$$anonfun$19.apply(LiftSession.scala:1027)
net.liftweb.common.EmptyBox.or(Box.scala:467)
net.liftweb.http.LiftSession.processRequest(LiftSession.scala:1027)
net.liftweb.http.LiftServlet.net$liftweb$http$LiftServlet$$dispatchStatefulRequest(LiftServlet.scala:314)
net.liftweb.http.LiftServlet$$anonfun$doSession$1$1.apply(LiftServlet.scala:191)
net.liftweb.http.LiftServlet$$anonfun$doSession$1$1.apply(LiftServlet.scala:191)
net.liftweb.http.S$.net$liftweb$http$S$$wrapQuery(S.scala:1169)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_nest2InnerInit$1$$anonfun$apply$29.apply(S.scala:1309)
net.liftweb.http.S$.net$liftweb$http$S$$doAround(S.scala:1106)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_nest2InnerInit$1.apply(S.scala:1307)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$.net$liftweb$http$S$$_nest2InnerInit(S.scala:1306)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_innerInit$1$$anonfun$apply$31$$anonfun$apply$32$$anonfun$apply$33$$anonfun$apply$34.apply(S.scala:1332)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$.withReq(S.scala:1341)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_innerInit$1$$anonfun$apply$31$$anonfun$apply$32$$anonfun$apply$33.apply(S.scala:1331)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_innerInit$1$$anonfun$apply$31$$anonfun$apply$32.apply(S.scala:1330)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_innerInit$1$$anonfun$apply$31.apply(S.scala:1329)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_innerInit$1.apply(S.scala:1328)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$.net$liftweb$http$S$$_innerInit(S.scala:1327)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1$$anonfun$apply$41$$anonfun$apply$42$$anonfun$apply$43$$anonfun$apply$44$$anonfun$apply$45.apply(S.scala:1381)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1$$anonfun$apply$41$$anonfun$apply$42$$anonfun$apply$43$$anonfun$apply$44.apply(S.scala:1379)
net.liftweb.http.CoreRequestVarHandler$class.apply(Vars.scala:507)
net.liftweb.http.RequestVarHandler$.apply(Vars.scala:428)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1$$anonfun$apply$41$$anonfun$apply$42$$anonfun$apply$43.apply(S.scala:1378)
net.liftweb.http.CoreRequestVarHandler$class.apply(Vars.scala:507)
net.liftweb.http.TransientRequestVarHandler$.apply(Vars.scala:432)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1$$anonfun$apply$41$$anonfun$apply$42.apply(S.scala:1377)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1$$anonfun$apply$41.apply(S.scala:1376)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$$anonfun$net$liftweb$http$S$$_init$1.apply(S.scala:1375)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.S$.net$liftweb$http$S$$_init(S.scala:1374)
net.liftweb.http.S$.init(S.scala:991)
net.liftweb.http.LiftServlet.doSession$1(LiftServlet.scala:190)
net.liftweb.http.LiftServlet.doService(LiftServlet.scala:200)
net.liftweb.http.LiftServlet$$anonfun$doIt$1$1.apply$mcZ$sp(LiftServlet.scala:86)
net.liftweb.http.LiftServlet$$anonfun$doIt$1$1.apply(LiftServlet.scala:86)
net.liftweb.http.LiftServlet$$anonfun$doIt$1$1.apply(LiftServlet.scala:86)
net.liftweb.util.TimeHelpers$class.calcTime(TimeHelpers.scala:329)
net.liftweb.util.Helpers$.calcTime(Helpers.scala:34)
net.liftweb.util.TimeHelpers$class.logTime(TimeHelpers.scala:338)
net.liftweb.util.Helpers$.logTime(Helpers.scala:34)
net.liftweb.http.LiftServlet.doIt$1(LiftServlet.scala:85)
net.liftweb.http.LiftServlet.service(LiftServlet.scala:93)
net.liftweb.http.provider.HTTPProvider$$anonfun$service$2.apply$mcV$sp(HTTPProvider.scala:66)
net.liftweb.http.provider.HTTPProvider$$anonfun$service$2.apply(HTTPProvider.scala:65)
net.liftweb.http.provider.HTTPProvider$$anonfun$service$2.apply(HTTPProvider.scala:65)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.URLRewriter$.doWith(Req.scala:934)
net.liftweb.http.provider.HTTPProvider$class.service(HTTPProvider.scala:64)
net.liftweb.http.LiftFilter.service(LiftServlet.scala:635)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1$$anonfun$apply$mcV$sp$1.apply$mcV$sp(ServletFilterProvider.scala:67)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1$$anonfun$apply$mcV$sp$1.apply(ServletFilterProvider.scala:62)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1$$anonfun$apply$mcV$sp$1.apply(ServletFilterProvider.scala:62)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13$$anonfun$apply$14$$anonfun$apply$15.apply(Vars.scala:513)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13$$anonfun$apply$14.apply(Vars.scala:512)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13.apply(Vars.scala:511)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12.apply(Vars.scala:510)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$class.apply(Vars.scala:509)
net.liftweb.http.RequestVarHandler$.apply(Vars.scala:428)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1.apply$mcV$sp(ServletFilterProvider.scala:61)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1.apply(ServletFilterProvider.scala:61)
net.liftweb.http.provider.servlet.ServletFilterProvider$$anonfun$doFilter$1.apply(ServletFilterProvider.scala:61)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13$$anonfun$apply$14$$anonfun$apply$15.apply(Vars.scala:513)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13$$anonfun$apply$14.apply(Vars.scala:512)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12$$anonfun$apply$13.apply(Vars.scala:511)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$$anonfun$apply$12.apply(Vars.scala:510)
net.liftweb.util.ThreadGlobal.doWith(ThreadGlobal.scala:71)
net.liftweb.http.CoreRequestVarHandler$class.apply(Vars.scala:509)
net.liftweb.http.TransientRequestVarHandler$.apply(Vars.scala:432)
net.liftweb.http.provider.servlet.ServletFilterProvider$class.doFilter(ServletFilterProvider.scala:60)
net.liftweb.http.LiftFilter.doFilter(LiftServlet.scala:635)
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1190)
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:424)
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:494)
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:931)
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:361)
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:867)
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
org.eclipse.jetty.server.Server.handle(Server.java:337)
org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:581)
org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1005)
org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:560)
org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:222)
org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:417)
org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:474)
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:437)
java.lang.Thread.run(Thread.java:680)
Post by Peter Robinett
Maybe I'm missing something but wouldn't this work?
scala> val x = scala.xml.XML.loadString("<p>He said, &quot;<test:saying />&quot;</p>")
x: scala.xml.Elem = <p>He said, &quot;<test:saying></test:saying>&quot;</p>
scala> Helpers.bind("test", x, "saying" -> "Cool!")
res0: scala.xml.NodeSeq = NodeSeq(<p>He said, &quot;Cool!&quot;</p>)
scala> res0.toString
res1: String = <p>He said, &quot;Cool!&quot;</p>
Peter
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
Heiko Seeberger
Company: weiglewilczek.com
Blog: heikoseeberger.name
Follow me: twitter.com/hseeberger
OSGi on Scala: scalamodules.org
Lift, the simply functional web framework: liftweb.net
Akka - Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through Actors: akka.io
--
You received this message because you are subscribed to the Google Groups "Lift" group.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Heiko Seeberger
2011-03-15 05:52:13 UTC
Permalink
Post by Christopher Taylor
it's because your string doesn't have a root element.
Sure ;-)
Post by Christopher Taylor
val x = scala.xml.XML.loadString("<unused>" + yourString + "</unused>") .child
That works, of course. But I wonder whether that helps with the security
issue? Looks like the net effect is the same like using Unparsed.

Heiko
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Christopher Taylor
2011-03-15 07:38:21 UTC
Permalink
On Tue, Mar 15, 2011 at 6:52 AM, Heiko Seeberger
Post by Heiko Seeberger
val x = scala.xml.XML.loadString("<unused>" + yourString + "</unused>").child
That works, of course. But I wonder whether that helps with the security
issue? Looks like the net effect is the same like using Unparsed.
no, it's no help against any kind of injection issue. The difference
to using Unparsed is merely that it ensures that your output is
well-formed. Personally, I'd use markdown or make sure that the
contents I'm embedding come from a trustworthy source (e.g. I've used
this technique to embed posts I retrieved from the Posterous API; I
was trusting them to filter the content since that's part of their
core business).

--Chris
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Heiko Seeberger
2011-03-15 08:12:19 UTC
Permalink
On 15 March 2011 08:38, Christopher Taylor <ccmtaylor-***@public.gmane.org> wrote:

Personally, I'd use markdown or make sure that the
Post by Christopher Taylor
contents I'm embedding come from a trustworthy source (e.g. I've used
this technique to embed posts I retrieved from the Posterous API; I
was trusting them to filter the content since that's part of their
core business).
Could you please show me a little code snippet demoing how you did that?

Thank you,

Heiko
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Christopher Taylor
2011-03-15 19:07:59 UTC
Permalink
Hi,

On Tue, Mar 15, 2011 at 9:12 AM, Heiko Seeberger
Post by Heiko Seeberger
Post by Christopher Taylor
Personally, I'd use markdown or make sure that the
contents I'm embedding come from a trustworthy source (e.g. I've used
this technique to embed posts I retrieved from the Posterous API; I
was trusting them to filter the content since that's part of their
core business).
Could you please show me a little code snippet demoing how you did that?
here's the snippet and the corresponding html. It's from before the
new CSS-selectors were introduced, so it uses bind(). I guess you
could use dispatch or apache httpclient to fetch the content instead,
but I didn't have any special requirements.

Like I said in the other post, this trusts that Posterous is filtering
the content correctly.

Regards,
--Chris

------------------------------------

class News extends Logger {
def listNews(xhtml: NodeSeq): NodeSeq = {
def getFeed(feedUrl: String): Elem = {
val u = new URL(feedUrl)
val con = u.openConnection
val is = con.getInputStream
doClose(is) {
XML.load(is)
}
}

val items =
getFeed("http://posterous.com/api/readposts?site_id=YOUR_ID_GOES_HERE")
val tag:String = S ? "posterous.tag"
info(tag)
info(items.toString)
val result = for (post <- (items \ "post")
if (post \ "tag").text == tag)
yield bind("newsItem", xhtml,
"title" -> (post \ "title").text,
"body" ->
XML.loadString("<lift:children>" ++ (post \ "body").text ++
"</lift:children>"))
NodeSeq.fromSeq(result.flatten)
}
}

------------------------------------

<lift:lazy-load>
<lift:news.listNews>
<hr />
<div class="newsitem">
<h3><newsItem:title>The title</newsItem:title></h3>
<newsItem:body>
Lorem ipsum dolor sit amet, etc.
</newsItem:body>
</div>
</lift:news.listNews>
</lift:lazy-load>
--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to liftweb-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
To unsubscribe from this group, send email to liftweb+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Continue reading on narkive:
Loading...