The Official Lift blog
The Lift Committers blog about the Lift Web Framework
Lift XML Vulnerability
March 22, 2015
A Serious Vulnerability
Security testing at a large Lift-powered site revealed a serious XML-related security vulnerability.
The core issue is that Lift prior to recently patched versions 2.5.2, 2.6.1, and 3.0-M4 are vulnerable to a XML eXternal Entity attack. The attack allows access to the local filesystem via XML entities:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
The root cause of the problem is that Lift uses Scala's
scala.xml.XML
library for parsing and the default configuration of that library is insecure.
Angular JS, Lift 3, and Streaming Promises
April 18, 2013
Simple AngularJS
Lift has always had the best server-push technology around. Why? It's secure, it deals well with spotty connections, it respects the limited number of HTTP connections between the client and the server, and so much more.
Angular JS is a very exciting UI package that makes building dynamic single-page applications a snap because there's a 2-way binding between the model and the UI so that changes in the model are correctly reflected in the UI. And the whole binding is declarative so that once you use a model item in the UI, that part of the UI is always updated when the model changes.
Round Trips
First bit of Lift 3.0
February 12, 2013
Lift is growing
Lift is growing and evolving.
I've just started the Lift 3.0 code branch. Lift 3.0 will be based on Scala 2.10+ and will use features exclusive to 2.10 including macros. Lift 3.0 will also cut away at a lot of cruft that's grown onto Lift over the years, so 3.0 will have a bunch of breaking changes.
The Future is Futures
Lift 3.0 will support Futures (specifically LAFutures which are Lift's time-tested, solid Futures) such that you can do stuff like this in a REST call:
object DelayedRest extends RestHelper { serve { case "delay" :: Nil Get _ => LAFuture(() => { Thread.sleep(2000) <b>Hello</b>}) } }
New Lift Contribution Policy
November 12, 2012
Contributions to Lift by non-committers
From the beginning of the Lift project, Lift has had a very well defined and restrictive Intellectual Property (IP) policy. All code in the various Lift repositories was created exclusively by committers who signed an IP assignment agreement (we adopted the Plone IP assignment.) All Lift code was created exclusively by the committers and the copyright in such code was assigned to an entity that holds the Lift copyrights.
Lift on Escalante
November 1, 2012
Escalante and OpenShift is a super-simple way to deploy Lift apps
The RedHat OpenShift folks are making it super-simple to deploy a Lift app.
The Escalante project provides an amazingly simple way to deploy a Lift app.
Basically, just write you Lift app with a Maven POM file, git-push the app to OpenShift and in a few minutes, you app is live.
How to do it
I built a simple Lift/Escalante app.
Basically, I followed the instructions and then I added the code for a simple chat app.
OpenShift and Escalante just work with Lift. Thanks for Galder for creating Escalante and lowering to barriers to entry for Lift.
Should I learn Lift?
October 5, 2012
Should I learn Lift?
This was the question I had about 3 years ago. I think I used Scala for about 3 months before I heard about Lift. And because I always liked web development, I figured this was a good way to learn Scala.
Fast forward to today, I left my job at Oracle/MySQL and joined Elemica, so I could work full time using Lift and become a Lift committer. I'm one of the most active members in the community, by participating on the mailing list, as well as writing about Lift.
How was the journey?
Cookbook updates for July
July 30, 2012
Six more recipes added to the Lift Cookbook this month:
- Sequencing CSS selector operations.
- Model a column with MySQL MEDIUMTEXT.
- [Viewing the liftproto H2 database](http://cookbook.liftweb.net/Viewing+the+liftproto+H2+database.html).
- Returning JSON from a REST service.
- Accessing HttpServletRequest.
- Add CSS class to an Ajax Form.
...bringing the total to 62 recipes.
The cookbook is a growing resource for Lift developers, presenting programming solutions to a range of specific questions. Follow @LiftCookbook for updates as they happen.
Happy 5th Birthday, Lift
February 25, 2012
Happy 5th Anniversary Lift
It was five years ago that I founded the Lift Web Framework project.
At that time, the Scala community was very small and academically focused. Lift was one of the first external libraries for Scala and Lift is now the venerable, longest-lived external library in the Scala ecosystem.
The Lift community has grown to over 3,000 people and more than 50 committers. There are multiple books on Lift and hundreds of sites built on Lift.
Lift Basics and Broad Shoulders
February 8, 2012
The Lift community is amazing. It's a collection of more than 3,000 people building amazing apps with Lift.The Lift committer group is amazing. It's a collection of more than 50 people who put time and effort into writing the code in Lift and more importantly into creating an excellent, supportive environment in the Lift community.Between the community and the committers, the shoulders that support Lift are indeed very broad and very strong.
The transition of scala-tools.org
February 3, 2012
It's been a little slow in coming (those ship dates always slip), but the Sonatype folks will be taking over the hosting of Scala related artifacts from scala-tools.org.Currently, Sonatype is rsyncing the entire scala-tools.org repository so that anything published to scala-tools.org will be mirrored up to Sonatype.We have transferred the LDAP information for all the scala-tools.org such that you will be able to publish directly to Sontaype's servers.
DPP's Lift Office Hours Monday February 6th
February 3, 2012
David Pollak will be available for Lift Office Hours to answer Lift-related questions either in person or on Skype from 11am to 3pm Pacific Standard Time.Physical Location:541 8th StreetSan Francisco, CA 94121Skype: lift-office-hoursDrop on by, give a call, I'll be glad to help!Thanks,David
Monday Jan 30 11am - 3pm Lift Office Hours with @dpp
January 24, 2012
Part of my ongoing commitment to Lift's growth and the success of Lift users and the Lift community, I will be doing "office hours" a couple of Mondays a month.Office hours are an open invitation for anybody to drop by my office (541 8th Street in San Francisco) with Lift questions, suggestions, project demos or just to chat.The first Lift Office Hours are from 11am PST to 3pm PST on Monday January 30th.So, if you're in the Bay Area and want to chat, come on by. There's plenty of coffee, tea, and other beverages.Looking forward to meeting folks!Thanks!David
No, I don't owe you scala-tools.org
January 21, 2012
Apparently I'm a jerk for shutting down scala-tools.org. Apparently, I'm an egomaniac for deciding not to sell the domain for "more than $0" even though nobody has made a legitimate offer for the domain. [Note: James Iry asked the question on Twitter. It was a perfectly reasonable question that I answered as best I could in 140 characters. I answered him and there were subsequent posts from others that personally attacked me for not doing things the way they think I should. Posts from others who attacked me for talking about using scala-tools.org to mourn the losses that I see in Scala-land. This post is *NOT* aimed at James. I like James. I respect James. James represents some of the very best of the Scala community and he was one of the folks who energized me about Scala and gave me hope that Scala could be a "local maximum of research and practical in computer langages." I am deeply sorry that James read this post as something about him.]
Scala-tools.org winding down
January 17, 2012
Scala-tools.org has been running for more than 3 years, providing Maven repository hosting to the Scala community.Scala-tools.org was initially hosted on a machine that I owned and paid for and was co-administered by me and David Bernard. In May, 2009, we transitioned the hardware to something more robust as well as having Derek Chen-Becker and Josh Sureth take over the administration tasks. I still own the machine and pay for the hosting and bandwidth as well as organizing the administrators.
Announcing Lift 2.4 Final
January 12, 2012
The Lift team proudly announces the availability of the final release of Lift version 2.4.Lift is a powerful, secure and most matured web framework available today. There are Seven Things that distinguish Lift from other web frameworks.
Lift applications are:
- Secure – Lift apps are resistant to common vulnerabilities including many of the OWASP Top 10
- Developer centric – Lift apps are fast to build, concise and easy to maintain
- Scalable – Lift apps are high performance and scale in the real world to handle insane traffic levels
- Interactive like a desktop app – Lift's Comet and Ajax support are super-easy and very secure
Read an overview of how Lift achieves these important goals.