The necessity of this kind of action (the banning) is absolutely no sign of anything having been done wrong. There will ALWAYS be people like that.
On Wed, Oct 14, 2009 at 3:31 PM, koveen <liep...@xs4all.nl> wrote: > > I think that when someone enters a group, expecting to be shot, > it is a very kind act only to ban him. > > Ko > > On Oct 14, 7:49 pm, David Pollak <feeder.of.the.be...@gmail.com> > wrote: > > Folks, > > > > It is not lightly that I ban someone from the group... this is only the > > second time I've banned a substantive poster. I'm going to discuss some > of > > the process and then touch on some of the substance of the questions that > > the poster was getting at. > > > > The Lift community, reflected on this list, is an inquisitive, friendly > > place where people who have a passion for building great web apps > converge > > and contribute to making Lift a really great open source framework. > Newbies > > are the lifeblood of the group because they come with fresh perspectives > and > > new ways of looking at things. Questions from newbies help us refine and > > enhance Lift and the associated documentation. Folks who are building > > production apps on Lift receive the fastest turn-around because these > folks > > are betting their careers and their enterprises (even enterprises of one) > on > > Lift and they deserve the best support in the industry for taking this > risk. > > > > A big part of why this community is successful (in terms of size, quality > of > > discussion, and quality of results) is because we keep the quality of > > discussion high. How do we do this? The folks who have been on the list > > generally keep the level of discussion to the Lift ideals. We reward > > newbies with quick answers and encourage friendly discourse. We are > > generally slower to respond to those that are less reflective of the list > > ideals. I warn folks who are pushing boundaries (usually privately, but > > every once in a while publicly) and where the line is. > > > > In this case, nothing worked. The poster was neither asking questions, > > giving usable feedback, or being polite in his engagement with the folks > on > > the list. I received a substantial number of private communications > about > > this poster (which is pretty rare), and I took action. > > > > In terms of the substance, let me address to "threat" issue first. I > > threatened to ban the poster from the list. Perhaps DHH or Martin would > not > > make such a threat. I am very sure that the quality of discussion on the > > Lift list is higher than that on the Rails list (one of the reasons I > > started Lift was to be part of a nicer community.) One cost of having a > > nicer place is excluding those who do not fit. The second "threat" I > made > > was to relay a tongue-in-cheek private communication I received about the > > poster to the list (after receiving the okay from the guy that made the > > communication to me.) This "threat" was obvious, using video game rating > > language <http://www.esrb.org/ratings/ratings_guide.jsp>, "Comic > mischief" > > and "Cartoon violence". It was something that even a 6 year old can > > distinguish from reality. Put another way, the poster was talking about > > Kafkaesque experiences with using Lift and I responded with > > Jonesian< > http://www.youtube.com/watch?v=CrupqdGvsoc&feature=PlayList&p=62FED00.. > .>language. > > > > In terms of the broader issue of Lift's HTML templating system being > XHTML > > only, yes, that's true. Lift treats HTML templates as XML. Lift's > > templating system is not a String templating system but an XML templating > > system. This satisfies the needs to render content to HTML browsers. If > > there are needs for generating other kinds of content, Lift is not as > good, > > but in many cases there are better libraries for doing so. Lift makes it > > very simple to integrate other rendering/templating engines into Lift, > > usually with a single line of code the dispatches the HTTP request to an > > alternate provider of a LiftResponse. If the poster had simply said, "I > > want to template non-HTML output, can you show me how?" he would have > gotten > > a nice example (and I might have even rolled it into demo.liftweb.net or > > maybe Tim might have blogged about it. > > > > Keeping things in XML has a number of advantages and a few disadvantages. > > First, the disadvantages: (1) you can't template non-XHTML responses and > (2) > > everything must be well formed XML. The advantages are (1) security (2) > > performance (it's easier to cache XML and the cost of mutating XML trees > is > > O(log N)), (3) there is better separation of logic from the view (perhaps > > Terrance Parr's String Template library achieves this level of > separation), > > and (4) the ability to mutate the resulting page (rewrite tags, move > stuff > > to head/tail, consolidate scripts) is more performant and less > error-prone > > than doing the same with a String-based representation. > > > > I will address Bill's security question. For String-based rendering > systems > > that emit HTML, the developer is the one who must make a decision at each > > insertion point as to whether the incoming String needs to be escaped. > > Because Strings are untyped, you don't know what they mean, if they're > > "safe" to be passed directly or if they need to be escaped. On the other > > hand, keeping the output structure in XML, you know when you're promoting > a > > String to an XML element and by default, it's done securely. The > developer > > has to affirmatively do something that will introduce a vulnerability. > > Here's an example: > > > > val inputFromBadUser = "<script>alert('boo');</script>"val > > vulnerableStringTemplating = "<div>The other guy said: > > "+inputFromBadUser+"</div>" > > val safeXMLTemplating = <div>The other guy said: {inputFromBadUser}</div> > > > > Sure, it's possible to use the "Unescaped" class for a String and it's > > possible to parse the user's input as XML, but both of these cases are > based > > on doing something other than the default. The default if you're using > XML > > for XHTML templating is that things are secure. The default if you're > using > > Strings to represent the output is is insecure unless the developer does > the > > right thing at each insertion point. > > > > I thank you all for your participation in this community. It's the kind > of > > place I like being part of and that's because of the quality of the > people > > and the discussions. I want to make sure as we grow from 1,400+ members > to > > 5,000 members that the group retains the quality and energy that it has. > > > > David > > > > On Tue, Oct 13, 2009 at 7:21 PM, David Pollak < > feeder.of.the.be...@gmail.com > > > > > > > > > wrote: > > > You are banned from this group. > > > > > On Tue, Oct 13, 2009 at 6:24 PM, Aule <grshipl...@gmail.com> wrote: > > > > >> Bryan > > > > >> Been there, tried that. > > >> Oh - the mime type is "text/vnd.curl" > > > > >> Btw, actually a threat has been conveyed to me at mail.google.com and > > >> I have protested to Google > > > > >> I can't imagine Dave Hansen or MArtin Odersky or Bill Venners or Lex > > >> Spoon sending me a threat, but so it goes ... > > > > >> At least I will not get 4 years in an Egyptian prison for insulting > > >> Randy's Alma Mater (Madison). > > > > >> Oh Randy. I read my Paul Valéry in the original. > www.hsinfosystems.com > > >> is missing the accent on his surname. > > > > >> Lift is not Scala; I will continue to recommend Scala. > > > > >> For me, the jury on Lift is not yet in. When some sycophants of > > >> Seaside got, nasty, I did not walk away from Seaside, warts and all. > > > > >> R > > > > >> On Oct 13, 8:10 pm, Bryan <germ...@gmail.com> wrote: > > >> > Hi Aule, > > > > >> > > I am still looking to see if I over-looked somewhere on the web > where > > >> > > there is a 1.0.2 Boot.scala > > > > >> > > 1) showing unambiguously how to flip the default Content-Type > > >> > > 2) and having, in fact, the intended effect > > > > >> > > as I now know from a few trials over a few hours that this is not > as > > >> > > simple as some web posts present. > > > > >> > I have not had a need for this, so I had to search some "web posts" > to > > >> > find the answer. Quckly, I found the following snippet: > > > > >> > LiftRules.determineContentType = { > > >> > case _ => "text/curl" > > > > >> > } > > > > >> > I have not verified this, so please let us know if it does not help. > > > > >> > > Were it trivial, I had not mocked a framework, and you, Mr. > Pollock, > > >> > > had not raged. > > > > >> > From my readings, Mr. Pollak has yet to show any rage. > > > > >> > --Bryan > > > > > -- > > > Lift, the simply functional web frameworkhttp://liftweb.net > > > Beginning Scalahttp://www.apress.com/book/view/1430219890 > > > > > Follow me:http://twitter.com/dpp > > > Surf the harmonics > > > > -- > > Lift, the simply functional web frameworkhttp://liftweb.net > > Beginning Scalahttp://www.apress.com/book/view/1430219890 > > Follow me:http://twitter.com/dpp > > Surf the harmonics > > > > -- Jack --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to liftweb@googlegroups.com To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/liftweb?hl=en -~----------~----~----~----~------~----~------~--~---