Dcb issue 1677, send pre-creation CometActor messages in the order received Fixes an issue where CometActor messages sent with session.sendCometActorMessage to actors that are not yet initialized would be sent to it in the wrong order once the actor *was* eventually initialized. Specifically, they were sent backwards. They are now sent in the correct order.
Fixed the new bind-less password change in ProtoUser The right side of CSS selector transforms is call-by-name, so we were computing two separate password fields for the password and confirmation input. As a result, we were failing to set the password because the confirmation input and password input both registered as not having a confirmation submitted for them. We now generate the password input ahead of time and reuse it to get the right behavior.
…the order received, rather than reverse order.
…wer form of findOrCreateComet.
…tSetup List in wrong order”
Midair Collision: Fix issue where binding an `href` and an `onclick` together could fail. This only manifested when the onclick came before the href on an a element, and probably also manifested if you bound an onsubmit on a form that had an action attribute. The cause was just that I had forgotten to properly pass on already-seen event attributes when processing the href attributes, so we lost them.
We disable external doctypes altogether, and We also enable secure processing; combined, these mitigate more attacks than just the XML External Entity attack. The tests are updated to indicate that we now throw an exception whenever we encounter an XML document with a doctype declaration. Signed-off-by: Diego Medina <firstname.lastname@example.org>
This particularly manifested when the attribute whose href we wanted to fix (e.g., the `href` attribute on an `a` element or the `action` attribute on a `form` element) also had an event handler (e.g. `onclick`). The code that fixed the href failed to pass on the event handlers that had been seen so far to the attribute-fixing chain, so they got lost before they could be applied.
The secure XML parser does not allow entity references to refer to external entities; allowing this exposes an application to XXE (XML External Entity) attacks, where the external reference can be to a local file with sensitive data, whose contents will then appear in the resulting parse error messages. External entities are ignored and will not appear in the parsed or reserialized XML. All of Lift's built-in XML parsing now uses Helpers.secureXML instead of directly using scala.xml.XML, including in tests. More at https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing . Signed-off-by: Diego Medina <email@example.com>
Fix LAFuture.map/flatMap when an exception happens inside. Before the change `LAFuture.map`/`.flatMap` never satisfied the future in cases where the function threw an exception. After the change, returned future is satisfied by a `Failure`. This change also contains minor fix: `get(timeout)` was returning `Empty` instead of a `Failure` if the `LAFuture` was aborted. Also added extensions providing `toBox` conversions from `scala.Option` and from `scala.util.Try`.