<div dir="ltr">Hi Mike,<div><br></div><div>These XSS attacks are Javascript-based, which means they operate on the user's browser. Dancer runs on the server and is written in Perl, so XSS attacks written to take advantage of the Javascript 'eval' command would have no effect on your Dancer app. Wikipedia has a useful article about XSS that should help clear up the confusion:</div><div><br></div><div><a href="https://en.wikipedia.org/wiki/Cross-site_scripting">https://en.wikipedia.org/wiki/Cross-site_scripting</a><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 9 October 2015 at 01:53, Mike Cu <span dir="ltr"><<a href="mailto:mike_cu80@yahoo.com" target="_blank">mike_cu80@yahoo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px"><div dir="ltr">I was reading about <br></div><h3>Stored XSS via AJAX on <br></h3><div dir="ltr"> <a>Web Application Exploits and Defenses</a> <br></div><div style="width:450px;font-family:'Georgia','Times','Times New Roman','serif';margin-top:5px;margin-bottom:5px;background-color:#ffffff"><table style="width:450px;height:170px;display:block" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td colspan="8" style="height:1px;background-color:#e5e5e5;font-size:1px;border-collapse:collapse"><div style="min-height:1px;background-color:#e5e5e5;font-size:1px;line-height:0px"> </div></td></tr><tr><td rowspan="5" style="width:1px;background-color:#e5e5e5;font-size:1pt;border-collapse:collapse"><div style="width:1px;background-color:#e5e5e5;font-size:1pt"> </div></td><td rowspan="5" style="vertical-align:middle;width:168px;height:168px;background-color:rgb(255,255,255);border-collapse:collapse"><div style="width:168px" align="center"><a style="text-decoration:none!important;text-decoration:none;color:#000000!important"><img alt="image" style="display:block;margin:auto" height="168" width="168"></a></div></td><td rowspan="5" style="width:1px;background-color:#e5e5e5;font-size:0pt;border-collapse:collapse"><div style="width:1px;background-color:#e5e5e5;font-size:1pt"> </div></td><td rowspan="5" style="width:14px;background-color:#ffffff;font-size:0pt;border-collapse:collapse"><div style="width:14px;background-color:#ffffff;font-size:14pt"> </div></td><td colspan="2" style="height:6px;background-color:#ffffff;font-size:0pt;border-collapse:collapse"><div style="min-height:6px;background-color:#ffffff;font-size:6pt"> </div></td><td rowspan="5" style="width:20px;background-color:#ffffff;font-size:0pt;border-collapse:collapse"><div style="width:20px;background-color:#ffffff;font-size:20pt"> </div></td><td rowspan="5" style="width:1px;background-color:#e5e5e5;font-size:1pt;border-collapse:collapse" width="1"><div style="width:1px;background-color:#e5e5e5;font-size:1pt"> </div></td></tr><tr><td colspan="2" style="width:100%;vertical-align:middle;font-family:'Georgia','Times','Times New Roman','serif'"><div style="line-height:16.5px;background-color:#ffffff;min-height:135px;width:245px"><div style="word-wrap:break-word;word-break:break-all"><span></span><span></span><a style="text-decoration:none!important;text-decoration:none;color:#000000!important;line-height:100%;font-size:18px;display:block"><span style="margin:0;font-weight:normal;margin-bottom:3px;font-size:18px;line-height:21px;max-height:43px;color:#000000;overflow:hidden!important;display:inline-block">Web Application Exploits and Defenses</span></a><div style="font-size:13px;line-height:20px;color:#999999;max-height:81px;font-family:'Georgia','Times','Times New Roman','serif';overflow:hidden">Cross-Site Scripting
(XSS) </div></div></div></td></tr><tr><td colspan="2" style="height:4px;background-color:#ffffff;font-size:0pt;border-collapse:collapse"><div style="min-height:4px;background-color:#ffffff;font-size:4pt"></div></td></tr><tr><td style="vertical-align:middle;font-family:'Arial','Helvetica Neue','Helvetica','sans-serif'"><div style="font-size:0pt"><a style="color:black;text-decoration:none!important;text-decoration:none"><span style="display:inline-block;line-height:11px;max-width:145px;min-width:85px;overflow:hidden;max-height:13px;word-break:break-all"><span style="vertical-align:middle;font-size:9px;line-height:11px;color:#999999">View on <span style="font-weight:bold">google-gruyere.apps...</span></span></span></a></div></td><td style="vertical-align:middle;width:100px;font-family:'Arial','Helvetica Neue','Helvetica','sans-serif'"><div style="max-width:100px;min-width:80px;overflow:hidden;text-align:right;line-height:11px;max-height:13px;font-size:0pt"><span style="vertical-align:middle;font-size:9px;line-height:11px;color:#999999">Preview by Yahoo</span></div></td></tr><tr><td colspan="2" style="height:9px;background-color:#ffffff;font-size:0pt;border-collapse:collapse"><div style="min-height:9px;background-color:#ffffff;font-size:9pt"></div></td></tr><tr><td colspan="8" style="height:1px;background-color:#e5e5e5;font-size:1px;border-collapse:collapse"><div style="min-height:1px;background-color:#e5e5e5;font-size:1px;line-height:0px"> </div></td></tr></tbody></table></div><div dir="ltr">where it says "<br></div><div dir="ltr">Second, in the browser, Gruyere converts the JSON by using
Javascript's <code>eval</code>. In general, <code>eval</code> is very
dangerous and should rarely be used. If it used, it must be used very
carefully, which is hardly the case here. We should be using the JSON
parser which ensures that the string does not include any unsafe
content. The JSON parser is available
at <a>json.org</a>."</div><div dir="ltr"><br></div><div dir="ltr">So I'm wondering what does Dancer do? eval or uses a parser?<br></div></div></div><br>_______________________________________________<br>
dancer-users mailing list<br>
<a href="mailto:dancer-users@dancer.pm">dancer-users@dancer.pm</a><br>
<a href="http://lists.preshweb.co.uk/mailman/listinfo/dancer-users">http://lists.preshweb.co.uk/mailman/listinfo/dancer-users</a><br>
<br></blockquote></div><br></div>