Lift Framework 3.0.1

This is a small point release to make Lift 3 available for Scala 2.12. The
Lift 3.0.1 release is built for both Scala 2.11.4 and Scala 2.12.1. As per
the usual Lift strategy of long-term support, we currently intend on
supporting Scala 2.11.x for some time.

Note that the bump to 3.0.1 brings with it bumps in several dependencies:

• Compile: Scalaz from 7.2.0 to 7.2.7.
• Test: Scalatest from 2.1.3 to 3.0.1. Specs2 from 3.7 to 3.8.6.

Please be aware of these dependency bumps when upgrading, and let
us know if you have any issues!

Lift Framework 3.0.0

The Big One

Lift 3 has been several years in the making, and includes a lot of stuff. Going
through it exhaustively would be very difficult, so some highlights will be listed
and then links will be provided to other places where a lot of the finer changes
have been announced, mentioned, and discussed.

Thanks for your patience waiting for the final release, and enjoy! More to come,
as always :)

Version Support

Currently Lift 3.0.0 is built for Scala 2.11.8. Scala 2.12.0 has a compiler bug that
prevents us from building Lift 3 for it; 2.12.1 has a fix for this bug, and we'll be
publishing a 2.12 build shortly after that is released.

Big Improvements

• Lift-json is a bit faster to serialize thanks to elimination of the intermediate scala.text.Document class,
  and hugely faster thanks to an optimization in the hot path of serialization by @chriswebster .

• Addition of LiftRules.securityRules, which allows configuring:

  • Content-Security-Policy support (first-class support for CSP Level 1, defaults
    to allowing only same-origin resources except for images, which are allowed from
    all domains, and JS, which allows unsafe eval).
  • Strict-Transport-Security settings (default to off).
  • Frame restrictions (same-origin by default)
  • Whether the above restrictions should be turned off for dev run mode vs other run modes.
  • Whether violations of the above restrictions should be logged in dev mode vs other run modes.

  See the API documentation for SecurityRules for more.

• Along with SecurityRules and supporting progressive enhancement, LiftRules.extractInlineJavaScript can be set to true to extract any onclick, onmouseover, and generally on* events, as well as javascript:-style URLs, into external event handlers. These are served on a per-page JS file and allow the CSP to be set to disallow unsafe inline JS while still permitting most classic server-side JS binding done in Lift using CSS selector transforms.

• Props allows lookup of properties in places other than Lift's .props files. In particular, any Map can be used to find properties by passing it to Props.appendProvider.

• Props also allows interpolation in property values, which values can be added as a Map using Props.appendInterpolationValues.

• Improved future and async support throughout, including:

  • Wrapping any right-hand value for a CSS selector transform in a Future or LAFuture (this will be rendered as a spinner to the client, until the future resolves at which point the content will be sent down). This is backed by the same infrastructure used for Lift's lazy snippet.
  • Wrapping any RestHelper response in a Future or LAFuture to have it handled asynchronously using container continuations, reusing all of the extensive support that Lift's comet actors use.
  • Including new comets in future values for CSS selector transforms or in AJAX responses or in lazy-loaded snippets without any additional plumbing or work. This also allows including lazy-loaded snippets in AJAX responses, or lazy-loaded snippets within lazy-loaded snippets (lazyception, as it were).

• Arbitrary parsers for Lift templates can be added using LiftRules.contentParsers. By default, HTML and Markdown parsers are provided, but this can be straightforwardly expanded to, for example, asciidoc, or any other template that can be parsed to NodeSeq in Scala. See the Scaladocs for ContentParser and @joescii's blog source code for more.

• Round-trips and streaming promises for even easier async support.

• Custom data- and element handling for better domain-specific templates.

In addition to these big features, following is a broader summary of changes with some duplicates.

Breaking Changes

All deprecated methods in Lift 2.6 have been removed. If you have deprecation warnings
in your 2.6 application, it will not compile for Lift 3.0.0. However, there are also other
aspects that have been changed that could not be deprecated properly in Lift 2.6.

• Box.get is no longer usable.
• JavaScript handling
  • liftAjax is no longer available on the client, as it has been significantly restructured.
  • There is now a semi-public API for Lift's few client-side functions; see lift.js. Note that this API is not yet documented and therefore not considered stable, so use it directly only with great care. That said, we also don't have any specific plans to change that API's behavior.
• Lift URIs
  • Lift AJAX calls are now routed under /lift/ajax
  • Lift comet calls are now routed under /lift/comet
  • Everything under /lift is reserved for Lift's use. That path can be customized via
    LiftRules.liftPath. Unlike before, when you could customize AJAX and comet paths
    separately, you can now only customize the top-level Lift path, and everything underneath
    it is reserved for Lift's use, both present and future.
• In #1584, lift-json's JField stopped being a JValue; it is now instead a type alias for (String, JValue). This is a cleaner representation, but it means that map, transform, find, and filter only operate on proper JValues, and using these on fields requires using mapField, transformField, findField, and filterField.
• In #1568, old binding strategy based on the bind function is now gone. CSS selector transforms should be used instead. Several built-in snippets have been migrated away from the old bind strategy; in general, elements and attributes that were prefixed by namespaces now correspond to classes without the prefixes. If you need any help migrating, please post to the Lift mailing list. The changed snippets are:
  • Paginator; see the Paginator binding migration guide for details here.
  • ProtoUser
  • Crudify
  • LiftScreen (now behaves like CssBoundLiftScreen); see the LiftScreen binding migration guide for details here.
  • CssBoundLiftScreen (now LiftScreen)
  • FormProcessor (removed)
  • TableEditor
  • Util in mapper.view
• (#1585) CometActor behavior—comets with no type specified are no longer supported
• (#1714) LocRewrite is now expected to return a (RewriteResponse, Box[T]) where T is the type of the menu item's param. Before it was a T rather than a Box[T].
• (#1710) lift-json no longer uses scala.text.Document as an intermediary when rendering to a string.

Improvements

• (#1585) Sending new comets to the client in AJAX callbacks
• (#1619) MessageCometActor/CometActor distinction allows partialUpdates with fewer bugs.

Deprecations

• (#1668) Much of TimeSpan's functionality has been deprecated. TimeSpan conflated
  several different concepts, including DateTime, Duration, and Period, which did not
  have the same semantics. As a result, there were corner cases where it could behave in
  very unexpected ways. In order to fix this, we've deprecated TimeSpan functionality for
  all uses that are not as a simple millisecond Duration. This deprecation takes effect for the
  final release of Lift 3.0.0, which means the functionality in question won't be removed until Lift
  3.1.0 at the earliest. Big big thanks to @arkadius for spotting this issue while trying to clean up
  specs, and taking point on adding the various deprecations.
• (#1710) In lift-json, compact and pretty (previously used in conjunction with
  render to serialize JSON to a String) are now deprecated in favor of compactRender
  and prettyRender. They will be removed in Lift 3.1.0.
• (#1742) FocusOnLoad is now deprecated in favor of S.appendJs(Focus(...))
  and/or using the HTML5 autofocus attribute.
• (#1749) Our mongo dependencies were upgraded to the latest driver that
  supports some of our older customization strategies. The older customization
  is now deprecated for removal in 3.1.0. In particular, these are defineDbAuth
  and useSession wrappers.

Prior Announcements

There have been lots of posts about the new functionality in Lift 3 over the years; following
are links to the release notes for all of the milestone and RC releases, followed by a set of
links to the Lift Weekly/Monthly Recap series that covered a lot of the early additions.

Release Notes

• Lift 3.0-M0
• Lift 3.0-M1
• Lift 3.0-M2
• Lift 3.0-M3
• Lift 3.0-M4
• Lift 3.0-M5
• Lift 3.0-M6
• Lift 3.0-M7
• Lift 3.0-M8
• Lift 3.0-RC1
• Lift 3.0-RC2
• [Lift 3.0-RC3](https://github.com/lift/framework/releases/tag/3.0-RC...

Lift Framework 3.0-RC4: Fourth Release Candidate

RC3 (and previous pre-release versions of Lift 3 that do event extraction for
content security policy purposes) had an issue where AJAX responses containing
HTML that in turn contained embedded event handlers could in certain cases turn
into attempts to attach events before the associated HTML elements were in
the DOM. This caused failures with existing apps.

Due to the lateness in the RC cycle of this bug, we've opted to allow for
disabling event extraction altogether, and disabled it by default. This
means that apps that have been using event extraction will want to enable it
explicitly by setting:

LiftRules.extractInlineJavaScript = true

We will enable it by default in a future Lift 3 point release once we're confident
of its correct behavior.

We expect this to be the last RC before Lift 3 goes final.

Breaking Changes

• (#1809) You must now explicitly enable event extraction (which turns on*-style
  event attributes in HTML and javascript:-style form submission and link URLs into
  out-of-band JavaScript that attaches event handlers, making HTML like this
  generated by Lift compatible with restrictive content security policies) in order for
  Lift to do this. This was done in response to noticing some issues with event extraction
  and HTML-appending AJAX responses, which could in some cases attempt to bind
  event handlers before the relevant nodes were in the DOM, and thus failed to bind
  those handlers. Users of Lift 3 before RC4 will want to explicitly enable
  LiftRules.extractInlineJavaScript to preserve prior behavior.

Lift Framework 3.0-RC3: Third Release Candidate

We found an annoying situation in RC2 that made the asJValue
method of Record and MetaRecord return JValue, which
didn't jive with the way these were being used in certain cases.

Fixes

• (#1787) Record and MetaRecord's asJValue methods were
  correctly converted to return JValues, but in certain cases this
  did not connect well with actual use. A new asJObject method
  was added to return the JSON as a JObject which could then be
  combined with other fields and objects.

Lift Framework 3.0-RC2: Second Release Candidate

We saw an issue in RC1 that could be worked around, but we
felt it was easy enough to come across it without intending to
that it was worth releasing a second RC.

Fixes

• (#1783) JsCmds that produced HTML with events and eagerly
  evaluated that HTML content (e.g. by declaring a val toJsCmd
  instead of def toJsCmd) would produce the event handler JS
  even if the JsCmd in question was never sent down to the client.
  We now tie the JS for event handling to the JsCmd's content
  directly, so this pitfall can't be triggered. Thanks to Riccardo Sirigu
  for reporting this issue on the mailing list.

Lift Framework 3.0-RC1: Release Candidate

This release features the last tidbits before 3.0 goes out the door. These
include some cleanup, a bunch of dependency bumps, and a couple of
fixes to bugs discovered during use of 3.0-M8. No feature work landed in
this release, and only bug fixes will be permitted before the next release.

If we don't see any bugs in the next 2-4 weeks, we'll be releasing Lift 3.0.
We're all super excited to be this close to a final release!

Breaking Changes

• (#1766) lift-json's \\ used to return a JValue. In cases where it matched
  a single field directly, it would return the field's value rather than a consistent
  container type. Matching multiple fields would return a JObject with the
  matched fields in it. Now, \\ always returns a JObject with the matching
  fields in it, even if there is only one such field. This may require adapting
  certain uses of \\, especially in for comprehensions. Code like
  for (JString(name) <- object \\ "name") will have to be changed to
  something more like for (JField(_, JString(name)) <- object \\ "name") to
  work correctly. Thanks to @eallik for reporting!
• (#1773, #1779) Lift was depending on outdated versions of many libraries.
  We've bumped those dependencies, so we now depend on specs2 3.7 and
  Java Servlet 3.1. All other version bumps were non-major, including
  lift-json-scalaz now depending on Scalaz 7.2. See the dependency file's diff for the full breakdown of dependency updates.

Improvements

• (#1772) When JsCmds including Noop were combined with &, you
  would get a lot of empty lines, since each Noop would emit some empty
  lines in those cases. Now, we ignore Noop when combining JsCmds,
  which should lead to reduced noise in serialized JS output. The most
  immediate impact is that page-specific JavaScript will be much more compact
  than it was before.

Fixes

• (#1779) Props.whereToLook works correctly again. In 3.0-M8, we expanded
  the abilities of Props to read from arbitrary sources. Unfortunately, in the
  process, we broke the whereToLook setting that allowed you to adjust the
  search paths for Props to look for named property files. This has been fixed
  in RC1. Thanks to @serioga for reporting!
• (#1769) Lift's JavaScript settings customization was set up such that you couldn't
  override things provided by Lift's liftVanilla or liftJQuery objects. This is now
  fixed, so custom JavaScript settings can build on and override those base functions.
  Thanks to @joescii for reporting… And fixing! ;)

Lift Framework 3.0-M8: Security and milestone release

This release features a dependency update to fix a security issue. See below.

It also features a large number of bug fixes and targeted improvements
based on feedback from actual use of Lift 3. It is expected to be the last Lift 3
milestone release, with the next build expected to be RC1. We don't expect
to land any more feature work before releasing Lift 3.0.0, and would like folks
to start hammering this release to find any lurking bugs that haven't yet been
caught.

Security

Lift 3.0 milestones were found to be using an outdated version of Apache
Commons FileUpload, which had an unpatched DoS vulnerability.

Lift 3.0-M8 bumps the dependency to the latest version, 1.3.1, which fixes
this vulnerability. Additionally, if you're using sbt, you can directly depend
on commons-fileupload 1.3.1 to evict the Lift dependency without upgrading
Lift. The versions are compatible with respect to Lift's usage.

Compatibility Notes

Lift 3.0-M7 was the last Lift build built with java 7. Future builds and the
final Lift 3.0.0 release will be built on Java 8. If you use Java 7, please
make sure to add the commons-fileupload 1.3.1 dependency mentioned
above so you are protected from the DoS vulnerability.

Also, earlier builds of Lift 3.0 defaulted the Content-Security-Policy to
report only in dev mode (which will produce error messages and logs, but
not prevent anything from actually loading/running), but actually enforced
the security policy in production. For the initial Lift 3.0.0 release, we are
relaxing this to allow for an easier transition: the default will be report-only
in both dev mode and production mode. Lift 3.1 will return to a secure
production default.

You can get the previous behavior by setting:

LiftRules.securityRules = () => SecurityRules(enforceInOtherModes = true)

You can also enforce in dev mode by passing the enforceInDevMode = true
parameter.

Note about M7

We cut M7 a little earlier than we wanted to announce another milestone,
so rather than announcing it we left the artifacts but made no official
announcement. The release notes below include the changes in M7.

Improvements

• (#1726) LiftRules.autoIncludeAjaxCalc, which decides whether or not to
  include Lift's JavaScript, now makes no attempt to include the lift.js file if the
  current request is stateless. Serving lift.js triggers session creation, so a
  page that was stateless for performance reasons but included lift.js would
  still cause session churn. The new default avoids this, though you can return
  to the old behavior if preferred.
• (#1710) Until now, render produced a Document, which is a now-deprecated Scala
  intermediary type. Passing that Document to pretty or compact would produce
  the desired kind of JSON output. We now drop Document from the pipeline,
  with compact(render) and pretty(render) producing deprecation warnings.
  These forms will be removed in 3.1, in favor of compactRender and prettyRender.
  The new serialization code is also both faster and more customizable, allowing
  rendering to any Java Appendable and some more customization on how
  renderings are formatted.
• (#1736) JSON serialization is well-specified, but when serializing for parsing
  by a JS language parser rather than a JSON parser (e.g., in JSON-P), escaping
  works a little differently. Lift now supports changing characters that are escaped
  and provides JS-specific convenience configurations for serializing JSON in
  ways that won't break for these cases.
• (#1741) RestHelper will now properly handle async responses wrapped in
  Scala Futures. Before, it only handled LAFuture. These async responses
  are handled using the same continuation mechanism that powers Lift's comets.
• (#1717) Deserializing JSON to a List[Option[T]] did not work. It now works
  correctly, deserializing null to None.
• (#1719) lift-json's write function can now take primitive values to serialize (e.g.,
  Serialization.write(3)). Before, it only supported object types.
• (#1752) Lift 3.0 finds on* attributes and other embedded JS and separates
  it out into actual JS that is invoked separately. This helps to enforce tighter
  Content-Security-Policy restrictions. Before, in AJAX responses that included
  HTML, we were not performing this event extraction. Now, event extraction
  happens for both pages and AJAX responses uniformly.

Fixes

• (#1711) S.appendJs could behave strangely when invoked from within
  JsCmd construction, and particularly in Wiring and in certain comet contexts.
  It should now behave predictably across the board.
• (#1714) MatchWithoutCurrentValue did not work correctly for Menus
  that did not include a *. This is now fixed.
• (#1718) Deserializing an incorrect type to an Option[T] would produce a
  None. Now, only a null produces a None, something that can deserialize
  to a T produces a Some[T], and a non-null value that cannot deserialize
  to a T produces a MappingException.
• (#1721) Lift 3's default client-side logError implementation was broken and
  caused a stack overflow. It is now fixed.
• (#1733) lift-markdown was failing to correctly break up parsing by newline.
  This was only on Java 8 due to a change in regex behavior in Java; it is now
  fixed.
• (#1734) CssUrlPrefixer, which prepends the context path of the application
  to served CSS, was failing to properly parse certain URLs, particularly those
  that included , and %. It was also always emitting URLs wrapped in single
  quotes irrespective of the source CSS's style. All of these issues are now fixed.
• (#1737) Msgs now appends any JS it needs to the page JS, rather than
  inserting it into the page markup.
• (#1744) Fixes for IE8 in lift.js. We were relying on some functionality that
  does not exist in IE8. We now have a polyfill for this functionality.
• (#1748) Lift's non-jQuery implementation of internal functionality now properly
  sets X-Requested-With for AJAX requests, thus allowing Lift to internally
  recognize AJAX requests (via Req's xhr_? method).
• (#1749) Our mongo dependencies were upgraded to the latest driver that
  still provides support for some of our older customization strategies. The
  older customization is now deprecated for removal in 3.1, so that we can
  catch up to the latest mongo driver. Note that the driver we currently depend
  on is still compatible with the latest server versions.
• (#1750) When trying to use Menu.item, we were trying to identify the current
  page using S.request. This failed when we were trying to build menu HTML
  from an AJAX callback, since S.request no longer referred to the current page,
  but rather the AJAX request. We now use S.originalRequest, which does refer
  to the current page even in an AJAX callback.

Deprecations

• (#1710) In lift-json, compact and pretty (previously used in conjunction with
  render to serialize JSON to a String) are now deprecated in favor of compactRender
  and prettyRender. They will be removed in Lift 3.1.
• (#1742) FocusOnLoad is now deprecated in favor of S.appendJs(Focus(...))
  and/or using the HTML5 autofocus attribute.
• (#1749) Our mongo dependencies were upgraded to the latest driver that
  supports some of our older customization strategies. The older customization
  is now deprecated for removal in 3.1. In particular, these are defineDbAuth
  and useSession wrappers.

Lift 2.6.3: Security Release

Lift 2.6 was found to be using an outdated version of Apache Commons
FileUpload, which had an unpatched DoS vulnerability.

Lift 2.6.3 bumps the dependency to the latest version, 1.3.1, which fixes
this vulnerability. Additionally, if you're using sbt, you can directly depend
on commons-fileupload 1.3.1 to evict the Lift dependency. The versions
are compatible with respect to Lift's usage.

Lift 2.5.4: Security Release

Lift 2.5 was found to be using an outdated version of Apache Commons
FileUpload, which had an unpatched DoS vulnerability.

Lift 2.5.4 bumps the dependency to the latest version, 1.3.1, which fixes
this vulnerability. Additionally, if you're using sbt, you can directly depend
on commons-fileupload 1.3.1 to evict the Lift dependency without upgrading
Lift. The versions are compatible with respect to Lift's usage.

Lift Framework 3.0-M6

This release features a good bit of cleanup from the previous one. It's been a busy
few months for the committers so the work is mostly in targeted improvements and
bug fixes:

Improvements

• (#1706) Thanks to @chriswebster, an up to 90% performance increase in JSON
  serialization for lift-json!
• (#1693) ParamFailure now behaves more correctly with ~>. That operator, when
  used on a Failure, returns a ParamFailure with the passed parameter, while
  preserving the rest of the original Failure's information. Before, invoking ~> with
  a parameter on a ParamFailure would replace the existing parameter with the new
  one, thus losing the previous parameter altogether. Now, we produce a copy of the
  ParamFailure with the new parameter, but we chain the previous ParamFailure
  to it so that it the original parameter is still accessible.
• (#1698) Lift 3 sessions allow an actor proxy for client code to be created via
  serverActorForClient. This release includes some new setup configuration
  when creating those actors, like providing setup and teardown functions as well
  as ways to convert from application messages into client JS content.
• (#1701) There is now a LiftRules.attributeForRemovedEventAttributes. When
  Lift strips event-related attributes (e.g. onclick, onsubmit, etc), if this rule is
  set to a String, it will tag the element whose event attributes were removed
  with the attributes that were removed. For example, setting it to Some("data-lift-removed-attributes")
  might result in a data-lift-removed-attributes="onclick onmouseover" attribute
  in your HTML if that element had its click and mouseover event handlers moved
  into page-specific JS. This allows you to make styling decisions based on these
  attributes, if you want to. See the rule documentation for more.
• (#1705) Until now, jsonCall would fail silently on both client and server if the
  submitted data from the client wasn't valid JSON. Now, it will log (at an ERROR
  log level) on the server if invalid JSON is sent. Whether this log info will be printed
  or not is configurable using usual logger configuration.
• (#1709) You can now register to find out when a function owner no longer has
  available functions bound in a session. Function owners typically (though not always)
  correspond to server-side functions bound or a page rendering (e.g., form fields).
  These usually expire ~2 minutes after the user is no longer on the page, but until
  now there was no way to find out that a given page was no longer “in scope”. In
  certain cases, that could be interesting to clean up page-related temporary assets
  or resource allocations. We now provide LiftSession.onFunctionOwnersRemoved,
  which can be set during application startup so that any new sessions can register
  those listeners. @andreak posted an excellent example of how they are using this
  on the mailing list.

Bug Fixes

• (#1694) When generating post-page JavaScript (mostly used by Wiring), there
  were some cases where null pointer exceptions could be thrown. These should
  be gone.
• (#1692) When binding onclick to an element that had an href, the new code
  that extracts event handlers into page-specific JS was failing to bind the click
  handler. This is now fixed, as is a related bug where elements that didn't need
  handlers still had a random id assigned to them.
• (#1677) When sending messages to comet actors before they are created (via
  LiftSession.sendCometActorMessage), they would arrive in reverse order.
  This is now fixed, and the first message sent using sendCometActorMessage
  arrives first.
• (#1703) When we moved away from bind, the CSS bindings in ProtoUser
  that checked password changes were incorrect, in that they never saw the
  user having submitted two versions of the same password. This is now fixed,
  and the change password stuff provided by ProtoUser is now correct.