Hi Mike! Sorry for the late response. I should note that based on your questions, it seems you are getting your concepts mixed up. On Mon, 5 Oct 2015 21:10:45 +0000 (UTC) Mike Cu <mike_cu80@yahoo.com> wrote:
Hi Shlomi, does the serializer internally use a Json parser ?
The JSON serialiser uses a JSON encoder. The JSON decoder parses the JSON which is given as text.
if yes,is it safe to assume that it would dissalow a piece code enclosed in <script> tags in the case it was passed in to it?
No, it would not. If you pass text with <script> tags into a JSON it will be placed there as is. Here is an example: « CODE » #!/usr/bin/perl use strict; use warnings; use JSON::MaybeXS qw(encode_json decode_json); my $data = { html_key => <<'EOF' }; <script type="text/language"> alert("I am running"); </script> EOF my $json = encode_json($data); print <<"EOF"; The JSON is: <<< $json
EOF
my $from_json = decode_json($json); my $html = $from_json->{html_key}; print <<"EOF"; The HTML is: [[[ $html ]]] EOF « / CODE » which gives the following output: « OUTPUT » shlomif@telaviv1:~$ perl json-roundtrip.pl The JSON is: <<< {"html_key":"<script type=\"text/language\">\nalert(\"I am running\");\n</script>\n"}
The HTML is:
[[[ <script type="text/language"> alert("I am running"); </script> ]]] shlomif@telaviv1:~$ « END OF OUTPUT »
is the Ajax call safe itself?
It depends how you do it and handle its data. You can try escaping the HTML if you are putting it into a document.
because since it uses Json should the Json also be escaped?
The JSON (in all-caps - it is not spelled "Json") will not necessarily be escaped. Regards, Shlomi Fish -- ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ What Makes Software Apps High Quality - http://shlom.in/sw-quality Chuck Norris refactors 10 million lines of Perl code before lunch. — http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/ Please reply to list if it's a mailing list post - http://shlom.in/reply .