Hi Mike, These XSS attacks are Javascript-based, which means they operate on the user's browser. Dancer runs on the server and is written in Perl, so XSS attacks written to take advantage of the Javascript 'eval' command would have no effect on your Dancer app. Wikipedia has a useful article about XSS that should help clear up the confusion: https://en.wikipedia.org/wiki/Cross-site_scripting On 9 October 2015 at 01:53, Mike Cu <mike_cu80@yahoo.com> wrote:
I was reading about Stored XSS via AJAX on Web Application Exploits and Defenses
[image: image]
Web Application Exploits and Defenses Cross-Site Scripting (XSS) View on google-gruyere.apps... Preview by Yahoo
where it says " Second, in the browser, Gruyere converts the JSON by using Javascript's eval. In general, eval is very dangerous and should rarely be used. If it used, it must be used very carefully, which is hardly the case here. We should be using the JSON parser which ensures that the string does not include any unsafe content. The JSON parser is available at json.org."
So I'm wondering what does Dancer do? eval or uses a parser?
_______________________________________________ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users