Hi Mike,

These XSS attacks are Javascript-based, which means they operate on the user's browser. Dancer runs on the server and is written in Perl, so XSS attacks written to take advantage of the Javascript 'eval' command would have no effect on your Dancer app. Wikipedia has a useful article about XSS that should help clear up the confusion:

https://en.wikipedia.org/wiki/Cross-site_scripting

On 9 October 2015 at 01:53, Mike Cu <mike_cu80@yahoo.com> wrote:

I was reading about
Stored XSS via AJAX on
Web Application Exploits and Defenses

Web Application Exploits and Defenses
Cross-Site Scripting (XSS)
View on google-gruyere.apps...
Preview by Yahoo

where it says "
Second, in the browser, Gruyere converts the JSON by using Javascript's eval. In general, eval is very dangerous and should rarely be used. If it used, it must be used very carefully, which is hardly the case here. We should be using the JSON parser which ensures that the string does not include any unsafe content. The JSON parser is available at json.org."

So I'm wondering what does Dancer do? eval or uses a parser?

_______________________________________________
dancer-users mailing list
dancer-users@dancer.pm
http://lists.preshweb.co.uk/mailman/listinfo/dancer-users



				Web Application Exploits and Defenses Cross-Site Scripting (XSS)

				View on google-gruyere.apps...	Preview by Yahoo