<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1444064453768_4516" dir="ltr">Hi Shlomi,<br></div><div id="yui_3_16_0_1_1444064453768_4574" dir="ltr">does the serializer internally use a Json parser ? if yes,is it safe to assume that it would dissalow a piece code enclosed in <script> tags in the case it was passed in to it? <br></div><div dir="ltr" id="yui_3_16_0_1_1444064453768_4392">is the Ajax call safe itself? because since it uses Json should the Json also be escaped?</div><div id="yui_3_16_0_1_1444064453768_4647" dir="ltr"><br></div><div id="yui_3_16_0_1_1444064453768_4391"><br></div><div id="yui_3_16_0_1_1444064453768_4384"><span></span></div>  <br><div class="qtdSeparateBR"><br><br></div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font face="Arial" size="2"> On Monday, October 5, 2015 2:55 PM, Shlomi Fish <shlomif@shlomifish.org> wrote:<br> </font> </div>  <br><br> <div class="y_msg_container">Hi Mike,<br clear="none"><br clear="none">see below for my response.<br clear="none"><br clear="none">On Mon, 5 Oct 2015 06:22:11 +0000 (UTC)<br clear="none">Mike Cu <<a shape="rect" ymailto="mailto:mike_cu80@yahoo.com" href="mailto:mike_cu80@yahoo.com">mike_cu80@yahoo.com</a>> wrote:<br clear="none"><br clear="none">> I have an Ajax call like :<br clear="none">> $( "#City" ).selectmenu({<br clear="none">>                          select: function( event, ui ) {<br clear="none">>                          $.ajax({     url: '/cities',<br clear="none">>                          type: "POST",<br clear="none">>                          data: {'City':$("#City"<br clear="none">> ).val()}}).success(function(data){ $("#display").html(data);});<br clear="none">>                      },<br clear="none">> <br clear="none">> <br clear="none">>   });<br clear="none"><br clear="none">Your indentation in this excerpt of JavaScript code is bad. Please fix it, see:<br clear="none"><br clear="none"><a shape="rect" href="https://en.wikipedia.org/wiki/Indent_style" target="_blank">https://en.wikipedia.org/wiki/Indent_style</a><div class="yqt5142577171" id="yqtfd36929"><br clear="none"><br clear="none">> does the default JSON serializer escape the data to prevent XSS, or should I<br clear="none">> escape it manually? </div><br clear="none"><br clear="none">The JSON serialiser should in general pass the text passed to it as is. As a<br clear="none">result, you should make sure to explictly escape it somewhere else (e.g: when<br clear="none">passing the data to the .html ( ... ) call).<br clear="none"><br clear="none">And it's good that you make use of jQuery.<br clear="none"><br clear="none">    -- Shlomi<br clear="none"><br clear="none">-- <br clear="none">-----------------------------------------------------------------<br clear="none">Shlomi Fish       <a shape="rect" href="http://www.shlomifish.org/" target="_blank">http://www.shlomifish.org/</a><br clear="none">My Favourite FOSS - <a shape="rect" href="http://www.shlomifish.org/open-source/favourite/" target="_blank">http://www.shlomifish.org/open-source/favourite/</a><br clear="none"><br clear="none">Chuck Norris is the greatest man in history. He killed all the great men who<br clear="none">could ever pose a competition.<br clear="none">    — <a shape="rect" href="http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/" target="_blank">http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/</a><br clear="none"><br clear="none">Please reply to list if it's a mailing list post - <a shape="rect" href="http://shlom.in/reply" target="_blank">http://shlom.in/reply </a>.<br clear="none">_______________________________________________<br clear="none">dancer-users mailing list<br clear="none"><a shape="rect" ymailto="mailto:dancer-users@dancer.pm" href="mailto:dancer-users@dancer.pm">dancer-users@dancer.pm</a><br clear="none"><a shape="rect" href="http://lists.preshweb.co.uk/mailman/listinfo/dancer-users" target="_blank">http://lists.preshweb.co.uk/mailman/listinfo/dancer-users</a><div class="yqt5142577171" id="yqtfd39326"><br clear="none"></div><br><br></div>  </div> </div>  </div></div></body></html>