Hi Shlomi,

does the serializer internally use a Json parser ? if yes,is it safe to assume that it would dissalow a piece code enclosed in <script> tags in the case it was passed in to it?

is the Ajax call safe itself? because since it uses Json should the Json also be escaped?

On Monday, October 5, 2015 2:55 PM, Shlomi Fish <shlomif@shlomifish.org> wrote:

Hi Mike,

see below for my response.

On Mon, 5 Oct 2015 06:22:11 +0000 (UTC)
Mike Cu <mike_cu80@yahoo.com> wrote:

> I have an Ajax call like :
> $( "#City" ).selectmenu({
>    select: function( event, ui ) {
>    $.ajax({ url: '/cities',
>    type: "POST",
>    data: {'City':$("#City"
> ).val()}}).success(function(data){ $("#display").html(data);});
>    },
>
>
> });

Your indentation in this excerpt of JavaScript code is bad. Please fix it, see:

https://en.wikipedia.org/wiki/Indent_style

> does the default JSON serializer escape the data to prevent XSS, or should I
> escape it manually?

The JSON serialiser should in general pass the text passed to it as is. As a
result, you should make sure to explictly escape it somewhere else (e.g: when
passing the data to the .html ( ... ) call).

And it's good that you make use of jQuery.

-- Shlomi

--
-----------------------------------------------------------------
Shlomi Fish http://www.shlomifish.org/
My Favourite FOSS - http://www.shlomifish.org/open-source/favourite/

Chuck Norris is the greatest man in history. He killed all the great men who
could ever pose a competition.
— http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/

Please reply to list if it's a mailing list post - http://shlom.in/reply .
_______________________________________________
dancer-users mailing list
dancer-users@dancer.pm
http://lists.preshweb.co.uk/mailman/listinfo/dancer-users