[dancer-users] Stored XSS via AJAX
Amelia Ireland
aireland at lbl.gov
Fri Oct 9 17:33:20 BST 2015
Hi Mike,
These XSS attacks are Javascript-based, which means they operate on the
user's browser. Dancer runs on the server and is written in Perl, so XSS
attacks written to take advantage of the Javascript 'eval' command would
have no effect on your Dancer app. Wikipedia has a useful article about XSS
that should help clear up the confusion:
https://en.wikipedia.org/wiki/Cross-site_scripting
On 9 October 2015 at 01:53, Mike Cu <mike_cu80 at yahoo.com> wrote:
> I was reading about
> Stored XSS via AJAX on
> Web Application Exploits and Defenses
>
>
> [image: image]
>
>
>
>
>
> Web Application Exploits and Defenses
> Cross-Site Scripting (XSS)
> View on google-gruyere.apps...
> Preview by Yahoo
>
> where it says "
> Second, in the browser, Gruyere converts the JSON by using Javascript's
> eval. In general, eval is very dangerous and should rarely be used. If it
> used, it must be used very carefully, which is hardly the case here. We
> should be using the JSON parser which ensures that the string does not
> include any unsafe content. The JSON parser is available at json.org."
>
> So I'm wondering what does Dancer do? eval or uses a parser?
>
> _______________________________________________
> dancer-users mailing list
> dancer-users at dancer.pm
> http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.preshweb.co.uk/pipermail/dancer-users/attachments/20151009/9eeffc20/attachment.html>
More information about the dancer-users
mailing list