Lift 2.6.1: Security Release

Lift 2.6 was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML.

Lift 2.6.1 introduces net.liftweb.util.Helpers.secureXML, an analogous object to
Scala's scala.xml.XML that is secured against XXE attacks by disabling external
entities in doctypes. If you are parsing untrusted user-provided XML using
scala.xml.XML, it is recommended that you switch to secureXML instead.

Lift 2.6.1 was rapidly superseded by Lift 2.6.2, which secures the secureXML
object against a few additional XML-based attacks.

Lift 2.5.2: Security Release

Lift 2.5.1 was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML.

Lift 2.5.2 introduces net.liftweb.util.Helpers.secureXML, an analogous object to
Scala's scala.xml.XML that is secured against XXE attacks by disabling external
entities in doctypes. If you are parsing untrusted user-provided XML using
scala.xml.XML, it is recommended that you switch to secureXML instead.

Lift 2.5.2 was rapidly superseded by Lift 2.5.3, which secures the secureXML
object against a few additional XML-based attacks.

Lift Framework 3.0-M3

This release brings quite a few changes, mostly as small improvements and bug fixes over M2. M3 is the next “stable snapshot” release, meaning that we've got some more big potentially-breaking changes in the pipeline and we're putting M3 out so that if you're on the SNAPSHOT build and those changes have negative effects, you can fall back on M3 and continue working.

Without further ado, here's a list of the changes that went in between M2 and M3 (note that they are not all super well-documented; more documentation will come before the 3.0 final release, but in the meantime please ask any questions you may have on the Lift mailing list):

Deprecations

• (#1668) Much of TimeSpan's functionality has been deprecated. TimeSpan conflated several different concepts, including DateTime, Duration, and Period, which did not have the same semantics. As a result, there were corner cases where it could behave in very unexpected ways. In order to fix this, we've deprecated TimeSpan functionality for all uses that are not as a simple millisecond Duration. This deprecation takes effect for the final release of Lift 3.0, which means the functionality in question won't be removed until Lift 3.1 at the earliest. Big big thanks to @arkadius for spotting this issue while trying to clean up specs, and taking point on adding the various deprecations.

Improvements

• (#1619) Added a MessageCometActor which is designed solely for pushing what were until now called partialUpdates. This is the beginning of a reworking of the comet API into a base MessageCometActor that handles just the messaging facet of comets, and a CometActor that works like the current one does. In particular, MessageCometActor does not have an overridable render method, as it is not expected to render itself—only to push updates. If your comet actor uses render, make sure that a call to render can replace any previous rendering + any partial updates since then. That is to say, rendering at time t_0 and then sending partial updates at t_1, t_2, and t_3 should produce the same result as rendering at time t_4. This is because calling render clears the list of partial updates, so if that condition does not hold, you can lose information. In these cases, please render separately and use MessageCometActor. In MessageCometActor, you can and should use pushMessage instead of partialUpdate to send a message to the client. We'll expand further on the distinction once we've fleshed out the APIs a bit more.
• (#1619) Rename devMode on CometActor to alwaysReRenderOnPageLoad to clarify what its purpose is.
• (#1652) Lift now supports a LiftRules.contentParsers rule that can be used to define parsers for templates, which the template loading pipeline can then use to load templates of various types. Out of the box, we provide the existing HTML and Markdown parsers, but this can easily be used to add, e.g., asciidoc support. The Scaladocs for LiftRules.contentParsers and the ContentParser class should provide a good guide to getting started, and an example of adding asciidoc support can be seen in @joescii's blog source code.
• (#1609) Using toSingleBox on a List[Box] that contains Failures now produces a ParamFailure whose chain is set up so that you can call failureChain to get all of those failures. You can still use the ParamFailures param to get the original list of boxes.
• (#1663) HLists are now covariant in their type parameters. Lift provides a lightweight HList in lift-util; this is a small improvement to it. More comprehensive (but also heavier and harder on the compiler) HLists are available using shapeless, as well.
• (#1649) Session ids are no longer emitted into page markup.
• (#1650) The scaladocs in lift-common have seen a lot of general cleanup and improvement.
• (#1656, #1658) More reliable specs in a few corners of the framework, thanks to @arkadius.

Bug fixes

• (#1619) Lift 3.0 milestone builds until now had a few comet-related bugs. Amongst other things, they could unexpectedly lose partial updates and call render more than once when a page was initially rendered. Most of these issues should now be fixed.
• (#1619) lastListenerTime is now accurate, where before it was never updated.
• (#1639) When throwing a ResponseShortcutException during an AJAX request handler, we now correctly serve the specified response. Before, only those with a location attached were handled, by serving a JS redirect command. Now you can serve any response you want—though those that have a location associated will always result in a JS redirect command for now.
• (#1640) The email regex in ProtoRules is now case insensitive and includes support for TLDs longer than 4 characters.
• (#1646) Lift 3.0-M2 introduced the ability to serve new comet actors via AJAX; however, doing this from within an AJAX handler bound inside a comet, or using a partialUpdate, had a few issues that prevented it from working correctly. These are now fixed.
• (#1646) S.appendJs from inside a comet's message handler could occasionally produce double execution of the JS, and other times could simply not work. S.appendJs should now always work and correctly execute the JS only once when used from within a comet's message handler.
• (#1648) Fix use of S.oneShot and S.callOnce with ajaxOnSubmit.
• (#1664) The LAFuture singleton's collect and collectAll functions, when given an empty list, now return an LAFuture that is immediately satisfied with an empty list. Before, these would return a future that would never be satisfied. Thanks to @arkadius.

Removals

• (#1619) Introduced in the first milestone of Lift 3.0, CometActor's lastWhenDeltaPruner has been removed as it could present timing issues that were difficult to fix. It may make a reappearance before Lift 3 goes final, depending on whether we figure out how to implement it more robustly.

Lift 2.6

The final Lift 2.6 release contains all of the functionality from the previous milestone builds and release candidates:

• 2.6-M1
• 2.6-M2
• 2.6-M3
• 2.6-M4
• 2.6-RC1
• 2.6-RC2

Lift 2.6-RC2

Bug Fixes

• Fix for the conflict between the private class scala.io.Position and our implementation of it. Hat tip to @fmpwizard to fixing this in #1636.
• Fix for the incorrect manipulation of ajaxPostTimeout on the server, which caused threads processing an ajax request to stick around longer than they should have. Penguin tip to @fmpwizard for fixing this in #1637.
• Added an implicit conversion from tuple to SelectableOption for backward compatibility niceness. Bacon tip to @fmpwizard for fixing this in #1630.
• Removed some unnecessary synchronization for Vars. Shoe tip to @davewhittaker for making that happen in #1631.
• Return DefaultConnectionIdentifier.jndiName to being a var, with an added deprecation warning. JNDI tip to @eltimn for making that happen in #1623.

Lift Framework 3.0-M2

This is the first “clean” release of Lift 3.0. This means that we've removed all currently-deprecated items from Lift 3.0 (i.e., anything that is deprecated in Lift 2.6 is gone in Lift 3.0-M2). This release still shouldn't be considered stable per se, in that there may be some additional removals in the future, but we don't currently have any such removals planned.

Additionally, a lot of additional feature work has gone into this, as many of the pull requests that were pending a milestone release of 3.0 before have now gone in. Here's a high-level breakdown of things that have gone in, though they are not yet particularly well-documented (more documentation will come before the 3.0 final release; in the meantime, please ask any questions you may have on the Lift mailing list).

Breaking Changes

• JavaScript handling
  • liftAjax is no longer available on the client, as it has been significantly restructured.
  • There is now a public API for Lift's few client-side functions; it resides under the window.lift object. It is not yet documented, and should be considered volatile until we announce otherwise.
  • Lift AJAX calls are now routed under <context path>/lift/ajax
  • Lift comet calls are now routed under <context path>/lift/comet
  • Everything under /lift is reserved for Lift's use. That path can be customized via
    LiftRules.liftContextRelativePath. Unlike before, when you could customize AJAX and comet paths
    separately, you can now only customize the top-level Lift path, and everything underneath
    it is reserved for Lift's use, both present and future.
• (#1584) lift-json's JField stopped being a JValue; it is now instead a type alias for (String, JValue). This is a cleaner representation, but it means that map, transform, find, and filter only operate on proper JValues, and using these on fields requires using mapField, transformField, findField, and filterField.
• (#1548) The old binding strategy based on the bind function is now gone. CSS selector transforms should be used instead. Several built-in snippets have been migrated away from the old bind strategy. The changed snippets are:
  • Paginator
  • ProtoUser
  • Crudify
  • LiftScreen (now behaves like CssBoundLiftScreen)
  • CssBoundLiftScreen (now LiftScreen)
  • FormProcessor (removed)
  • TableEditor
  • Util in mapper.view
• (#1585) CometActor behavior has changed—comets with no type specified are no longer supported.

Improvements

• (#1585) Sending new comets to the client in AJAX callbacks now works.
• (#1585) Comets can now be instantiated programmatically via a well-defined S API.
• (#1613) S.request is now empty in comet actors.
• (#1607) The lazy-load snippet now works in AJAX responses (builds on the comet support above).
• (#1607) Scala Future and Lift LAFuture can be used in a CSS selector transform and will automatically be set up for lazy loading.
• (#1606, #1537) Lift 3 now builds exclusively on Scala 2.11, using sbt 0.13.
• (#1522) Add the ability to force reading RestHelper post data as JSON or XML even if the sent Content-Type is incorrect.
• (#1253) withFilter added to BaseResponse class (for testing) so that it can be used correctly in forcomprehensions.
• (#1574) Fix an issue where there were two very different overloads of updateListeners in ListenerManager. One of them is now named sendListenersMessage.
• (#1559) JavaScript added to the page via S.appendJs during the initial page render is now accumulated into a file under the <context path>/lift path and referenced from the page. Things like on* event handlers and such will in the future also be placed in this file so that the generated HTML is free of inline script when using Lift's built-in behavior. This will allow a restrictive Content-Security-Policy for security purposes.

Fixes

• (#1253) withFilter added to BaseResponse class (for testing) so that it can be used correctly in forcomprehensions.
• (#1572) Fixed an issue in 3.0-M1 where boolean values in roundtrip responses could cause issues.
• (#1593) BsonRecordListField validates all elements by default on validate
• (#1597) Fixed an issue in Lift 3.0-M1 where the AJAX paths did not include the context path.

2.6-RC1

Changes

• Included option attributes in multiSelect_*.
• Improved memory usage by sharing init key value for each *Var.
• Added explicit parameter type when looking for snippet methods.
• Added Date header when sending mail.
• Exclude the Position.scala file in builds for Scala < 2.11.

2.6-M4

Changes

• 2.10 versions of Lift are now built for Scala 2.10.4.
• We are now publishing Lift builds for 2.11, built with Scala 2.11.1.
• MongoRecord.save now has a default true value for its safe parameter.
• Add saveBox, updateBox, and deleteBox_! methods to MongoRecord
  that catch exceptions and return a Box.
• Moved MongoIdentifier to use a common ConnectionIdentifier shared with
  other record types.
• Added RecordRules.fieldName, a FactoryMaker that lets you modify a field's
  corresponding database name based on the database connection and the field's
  variable name. (#1505).
• Added RecordRules.displayName, a FactoryMaker that lets you modify a field's
  display name (the name rendered in the UI) based on the record instance being
  handled, the current locale, and the default display name.
• Added MongoRules.collectionName, an Inject that lets you modify the name of a MongoRecord class's collection based on the connection and the
  class name.
• Fix MongoListField's setFromJValue to properly handle special mongo data
  types.
• Add AsObjectId extractor for pattern matching ObjectId Strings.
• Add AsMongoRecord extractor for pattern matching a Mongo Record instance
  based on an incoming String id.
• Add JsonObjectId, JsonRegex, JsonUUID, JsonDate, and JsonDateTime
  extractors for lift-mongodb-formatted JValues.
• Added a withFilter method to suppress warnings when using the BaseResponse
  class in Lift tests (see #1253).
• Wrap mail parts in multipart/related MIME part in emails (see #1569).
• CometActor now handles ResponseShortcutExceptions with redirect responses
  by sending an appropriate RedirectTo command to the client. This means that
  e.g. S.redirectTo will work as expected in a CometActor. Note that this is implemented
  in the default exceptionHandler of CometActor, so if you've overridden it you'll
  need to make sure that the default handler is something you eventually invoke.
• Added the ability to get a forced version of a request body as JSON or XML,
  regardless of whether the specified Content-Type of the request was correct.
  These are Req.forcedBodyAsJson and Req.forcedBodyAsXml, respectively.
• Return a Failure with descriptive error message if bodyAsJson or bodyAsXml
  are invoked and we don't return the relevant JSON or XML due to an incorrect
  Content-Type in the request.
• Added a short note on StackableMaker's doWith (used by FactoryMaker,
  amongst other things) regarding the fact that its changes to its maker's value
  are thread-local.

Deprecations

• JSONParser, Lift's legacy JSON parser, along with its dependents:
  • MetaRecord.setFieldsFromJSON
  • MetaRecord.fromJSON
  • CometActor's handleJson, jsonCall, and jsonInCode
  • S.buildJsonFunc
  • S.jsonFmapFunc with Any=>JsCmd
  • JsonHandler
  • SHtml.fjsonCall
  • SHtml.jsonButton with Any=>JsCmd
  • SHtml.jsonForm
• Mapper and MetaMapper's snippet bindings that use PartialFunctions:
  • addSnippet, editSnippet, viewSnippet (in favor of addFormSnippet,
    editFormSnippet, and viewTransform, all based on CSS selector transforms)
  • modSnippet, used in addSnippet and editSnippet, superseded by formSnippet.
  • add, edit, and view snippets in HTML, in favor of addForm, editForm,
    and viewTransform
  • fieldMapperPF, in favor of fieldMapperTransforms
  • fieldPF, appendField, and prependField, in favor of fieldTransforms,
    appendFieldTransform, and prependFieldTransform.
• MongoAddress, MongoHostBase, MongoHost, MongoSet and all functions that
  take them as parameters. Please use the Mongo Java driver's MongoClient instead.
• MongoRecord.save with no parameters. Please use the version with one
  parameter, and invoke it with empty parens (save()) if you want a safe save. The
  default for save with no parameters was an unsafe save, which can be achieved using
  save(false).
• MongoMeta.ensureIndex; use MongoMeta.createIndex instead.
• ListenerManager.updateListeners(Any); use ListenerManager.sendListenersMesage(Any)
  instead.

Lift Framework 3.0-M1

Quick fix over 3.0-M0, this fixes an issue where the comet-related ListenerManager
trait would not notify a comet when it was first subscribed to it.

Lift Framework 3.0-M0

This build includes early work on Lift 3.0 that has been available in the snapshot for
some time, as well as some recent cleanup that has gone in. It is a stable base for
people who have been using Lift's 3.0 snapshot, as there is likely to be continuing and
significant churn in the mainline 3.0 snapshot over the coming months.

A couple of new features include:

• Round-trips and streaming promises
• Custom data- and element handling

More to come on that front—and more to be documented as well.

Removed Deprecations

• JSONParser, Lift's legacy JSON parser, along with its dependents:
  • MetaRecord.setFieldsFromJSON
  • MetaRecord.fromJSON
  • CometActor's handleJson, jsonCall, and jsonInCode
  • S.buildJsonFunc
  • S.jsonFmapFunc with Any=>JsCmd
  • JsonHandler
  • SHtml.fjsonCall
  • SHtml.jsonButton with Any=>JsCmd
  • SHtml.jsonForm
• Mapper and MetaMapper's snippet bindings that use PartialFunctions:
  • addSnippet, editSnippet, viewSnippet (in favor of addFormSnippet,
    editFormSnippet, and viewTransform, all based on CSS selector transforms)
  • modSnippet, used in addSnippet and editSnippet, superseded by formSnippet.
  • add, edit, and view snippets in HTML, in favor of addForm, editForm,
    and viewTransform
  • fieldMapperPF, in favor of fieldMapperTransforms
  • fieldPF, appendField, and prependField, in favor of fieldTransforms,
    appendFieldTransform, and prependFieldTransform.
• lift-mongo's MongoIdentifier in favor of ConnectionIdentifier in lift-util
• lift-mongo's constructors and methods dealing with db connections that aren't in
  the form of MongoClient (Mongo, MongoHost, etc)