We disable external doctypes altogether, and We also enable secure processing; combined, these mitigate more attacks than just the XML External Entity attack. The tests are updated to indicate that we now throw an exception whenever we encounter an XML document with a doctype declaration. Signed-off-by: Diego Medina <email@example.com>
The secure XML parser does not allow entity references to refer to external entities; allowing this exposes an application to XXE (XML External Entity) attacks, where the external reference can be to a local file with sensitive data, whose contents will then appear in the resulting parse error messages. External entities are ignored and will not appear in the parsed or reserialized XML. All of Lift's built-in XML parsing now uses Helpers.secureXML instead of directly using scala.xml.XML, including in tests. More at https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing . Signed-off-by: Diego Medina <firstname.lastname@example.org>
Fix LAFuture.map/flatMap when an exception happens inside. Before the change `LAFuture.map`/`.flatMap` never satisfied the future in cases where the function threw an exception. After the change, returned future is satisfied by a `Failure`. This change also contains minor fix: `get(timeout)` was returning `Empty` instead of a `Failure` if the `LAFuture` was aborted. Also added extensions providing `toBox` conversions from `scala.Option` and from `scala.util.Try`.
….uitl.Try to Box: extension implicit classes with toBox methods.
We do this because Lift does a lot of AJAX-based script injection at the moment, which requires eval. So, to avoid breaking a Lift application, unsafe-eval stays on. Also expand a little on documentation to indicate Lift’s reliance on this functionality.