Folks, It is not lightly that I ban someone from the group... this is only the second time I've banned a substantive poster. I'm going to discuss some of the process and then touch on some of the substance of the questions that the poster was getting at.
The Lift community, reflected on this list, is an inquisitive, friendly place where people who have a passion for building great web apps converge and contribute to making Lift a really great open source framework. Newbies are the lifeblood of the group because they come with fresh perspectives and new ways of looking at things. Questions from newbies help us refine and enhance Lift and the associated documentation. Folks who are building production apps on Lift receive the fastest turn-around because these folks are betting their careers and their enterprises (even enterprises of one) on Lift and they deserve the best support in the industry for taking this risk. A big part of why this community is successful (in terms of size, quality of discussion, and quality of results) is because we keep the quality of discussion high. How do we do this? The folks who have been on the list generally keep the level of discussion to the Lift ideals. We reward newbies with quick answers and encourage friendly discourse. We are generally slower to respond to those that are less reflective of the list ideals. I warn folks who are pushing boundaries (usually privately, but every once in a while publicly) and where the line is. In this case, nothing worked. The poster was neither asking questions, giving usable feedback, or being polite in his engagement with the folks on the list. I received a substantial number of private communications about this poster (which is pretty rare), and I took action. In terms of the substance, let me address to "threat" issue first. I threatened to ban the poster from the list. Perhaps DHH or Martin would not make such a threat. I am very sure that the quality of discussion on the Lift list is higher than that on the Rails list (one of the reasons I started Lift was to be part of a nicer community.) One cost of having a nicer place is excluding those who do not fit. The second "threat" I made was to relay a tongue-in-cheek private communication I received about the poster to the list (after receiving the okay from the guy that made the communication to me.) This "threat" was obvious, using video game rating language <http://www.esrb.org/ratings/ratings_guide.jsp>, "Comic mischief" and "Cartoon violence". It was something that even a 6 year old can distinguish from reality. Put another way, the poster was talking about Kafkaesque experiences with using Lift and I responded with Jonesian<http://www.youtube.com/watch?v=CrupqdGvsoc&feature=PlayList&p=62FED0095A126F50&playnext=1&playnext_from=PL&index=9>language. In terms of the broader issue of Lift's HTML templating system being XHTML only, yes, that's true. Lift treats HTML templates as XML. Lift's templating system is not a String templating system but an XML templating system. This satisfies the needs to render content to HTML browsers. If there are needs for generating other kinds of content, Lift is not as good, but in many cases there are better libraries for doing so. Lift makes it very simple to integrate other rendering/templating engines into Lift, usually with a single line of code the dispatches the HTTP request to an alternate provider of a LiftResponse. If the poster had simply said, "I want to template non-HTML output, can you show me how?" he would have gotten a nice example (and I might have even rolled it into demo.liftweb.net or maybe Tim might have blogged about it. Keeping things in XML has a number of advantages and a few disadvantages. First, the disadvantages: (1) you can't template non-XHTML responses and (2) everything must be well formed XML. The advantages are (1) security (2) performance (it's easier to cache XML and the cost of mutating XML trees is O(log N)), (3) there is better separation of logic from the view (perhaps Terrance Parr's String Template library achieves this level of separation), and (4) the ability to mutate the resulting page (rewrite tags, move stuff to head/tail, consolidate scripts) is more performant and less error-prone than doing the same with a String-based representation. I will address Bill's security question. For String-based rendering systems that emit HTML, the developer is the one who must make a decision at each insertion point as to whether the incoming String needs to be escaped. Because Strings are untyped, you don't know what they mean, if they're "safe" to be passed directly or if they need to be escaped. On the other hand, keeping the output structure in XML, you know when you're promoting a String to an XML element and by default, it's done securely. The developer has to affirmatively do something that will introduce a vulnerability. Here's an example: val inputFromBadUser = "<script>alert('boo');</script>"val vulnerableStringTemplating = "<div>The other guy said: "+inputFromBadUser+"</div>" val safeXMLTemplating = <div>The other guy said: {inputFromBadUser}</div> Sure, it's possible to use the "Unescaped" class for a String and it's possible to parse the user's input as XML, but both of these cases are based on doing something other than the default. The default if you're using XML for XHTML templating is that things are secure. The default if you're using Strings to represent the output is is insecure unless the developer does the right thing at each insertion point. I thank you all for your participation in this community. It's the kind of place I like being part of and that's because of the quality of the people and the discussions. I want to make sure as we grow from 1,400+ members to 5,000 members that the group retains the quality and energy that it has. David On Tue, Oct 13, 2009 at 7:21 PM, David Pollak <feeder.of.the.be...@gmail.com > wrote: > You are banned from this group. > > > On Tue, Oct 13, 2009 at 6:24 PM, Aule <grshipl...@gmail.com> wrote: > >> >> Bryan >> >> Been there, tried that. >> Oh - the mime type is "text/vnd.curl" >> >> Btw, actually a threat has been conveyed to me at mail.google.com and >> I have protested to Google >> >> I can't imagine Dave Hansen or MArtin Odersky or Bill Venners or Lex >> Spoon sending me a threat, but so it goes ... >> >> At least I will not get 4 years in an Egyptian prison for insulting >> Randy's Alma Mater (Madison). >> >> Oh Randy. I read my Paul Valéry in the original. www.hsinfosystems.com >> is missing the accent on his surname. >> >> Lift is not Scala; I will continue to recommend Scala. >> >> For me, the jury on Lift is not yet in. When some sycophants of >> Seaside got, nasty, I did not walk away from Seaside, warts and all. >> >> R >> >> On Oct 13, 8:10 pm, Bryan <germ...@gmail.com> wrote: >> > Hi Aule, >> > >> > > I am still looking to see if I over-looked somewhere on the web where >> > > there is a 1.0.2 Boot.scala >> > >> > > 1) showing unambiguously how to flip the default Content-Type >> > > 2) and having, in fact, the intended effect >> > >> > > as I now know from a few trials over a few hours that this is not as >> > > simple as some web posts present. >> > >> > I have not had a need for this, so I had to search some "web posts" to >> > find the answer. Quckly, I found the following snippet: >> > >> > LiftRules.determineContentType = { >> > case _ => "text/curl" >> > >> > } >> > >> > I have not verified this, so please let us know if it does not help. >> > >> > > Were it trivial, I had not mocked a framework, and you, Mr. Pollock, >> > > had not raged. >> > >> > From my readings, Mr. Pollak has yet to show any rage. >> > >> > --Bryan >> >> >> >> > > > -- > Lift, the simply functional web framework http://liftweb.net > Beginning Scala http://www.apress.com/book/view/1430219890 > > Follow me: http://twitter.com/dpp > Surf the harmonics > -- Lift, the simply functional web framework http://liftweb.net Beginning Scala http://www.apress.com/book/view/1430219890 Follow me: http://twitter.com/dpp Surf the harmonics --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to liftweb@googlegroups.com To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/liftweb?hl=en -~----------~----~----~----~------~----~------~--~---
