Security issues using Lift as API endpoint for rich web app?

Byron Gibson

unread,

Apr 7, 2012, 2:11:52 PM4/7/12

to lif...@googlegroups.com

I may be building an HTML5/Javascript-heavy rich web app soon, with Lift as the JSON-serving API endpoint. I've never done this before and am looking into the security aspects. There's some discussion of it in these groups, but not much on security concerns specific to this kind of architecture.

Are there any security issues to be aware of when building an app like this, that are not normally a concern when using Lift in the standard way of DOM transforming?

Antonio Salazar Cardozo

unread,

Apr 7, 2012, 4:59:45 PM4/7/12

to lif...@googlegroups.com

Nothing out of the ordinary. If you still speak in DOM fragments back and forth, you still leverage lift's automatic escaping of malicious XML-y content. If you speak in JSON, just be sure not to insert user-entered input into your DOM without first escaping it (either on the client or by assigning text nodes and not innerHTML).
Thanks,
Antonio

Byron Gibson

unread,

Apr 7, 2012, 8:57:27 PM4/7/12

to lif...@googlegroups.com

Good to hear nothing major, thanks!

Antonio Salazar Cardozo

unread,

Apr 7, 2012, 10:57:21 PM4/7/12

to lif...@googlegroups.com

Er sorry I meant either on the *server* or by assigning text nodes hehe. Yeah, I can't think of anything else we've run into at the moment.