I have an Ajax call like : $( "#City" ).selectmenu({ select: function( event, ui ) { $.ajax({ url: '/cities', type: "POST", data: {'City':$("#City" ).val()}}).success(function(data){ $("#display").html(data);}); }, }); does the default JSON serializer escape the data to prevent XSS, or should I escape it manually?
Hi Mike, see below for my response. On Mon, 5 Oct 2015 06:22:11 +0000 (UTC) Mike Cu <mike_cu80@yahoo.com> wrote:
I have an Ajax call like : $( "#City" ).selectmenu({ select: function( event, ui ) { $.ajax({ url: '/cities', type: "POST", data: {'City':$("#City" ).val()}}).success(function(data){ $("#display").html(data);}); },
});
Your indentation in this excerpt of JavaScript code is bad. Please fix it, see: https://en.wikipedia.org/wiki/Indent_style
does the default JSON serializer escape the data to prevent XSS, or should I escape it manually?
The JSON serialiser should in general pass the text passed to it as is. As a result, you should make sure to explictly escape it somewhere else (e.g: when passing the data to the .html ( ... ) call). And it's good that you make use of jQuery. -- Shlomi -- ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ My Favourite FOSS - http://www.shlomifish.org/open-source/favourite/ Chuck Norris is the greatest man in history. He killed all the great men who could ever pose a competition. — http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/ Please reply to list if it's a mailing list post - http://shlom.in/reply .
Hi Shlomi, does the serializer internally use a Json parser ? if yes,is it safe to assume that it would dissalow a piece code enclosed in <script> tags in the case it was passed in to it? is the Ajax call safe itself? because since it uses Json should the Json also be escaped? On Monday, October 5, 2015 2:55 PM, Shlomi Fish <shlomif@shlomifish.org> wrote: Hi Mike, see below for my response. On Mon, 5 Oct 2015 06:22:11 +0000 (UTC) Mike Cu <mike_cu80@yahoo.com> wrote:
I have an Ajax call like : $( "#City" ).selectmenu({ select: function( event, ui ) { $.ajax({ url: '/cities', type: "POST", data: {'City':$("#City" ).val()}}).success(function(data){ $("#display").html(data);}); },
});
Your indentation in this excerpt of JavaScript code is bad. Please fix it, see: https://en.wikipedia.org/wiki/Indent_style
does the default JSON serializer escape the data to prevent XSS, or should I escape it manually?
The JSON serialiser should in general pass the text passed to it as is. As a result, you should make sure to explictly escape it somewhere else (e.g: when passing the data to the .html ( ... ) call). And it's good that you make use of jQuery. -- Shlomi -- ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ My Favourite FOSS - http://www.shlomifish.org/open-source/favourite/ Chuck Norris is the greatest man in history. He killed all the great men who could ever pose a competition. — http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/ Please reply to list if it's a mailing list post - http://shlom.in/reply . _______________________________________________ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Hi Mike! Sorry for the late response. I should note that based on your questions, it seems you are getting your concepts mixed up. On Mon, 5 Oct 2015 21:10:45 +0000 (UTC) Mike Cu <mike_cu80@yahoo.com> wrote:
Hi Shlomi, does the serializer internally use a Json parser ?
The JSON serialiser uses a JSON encoder. The JSON decoder parses the JSON which is given as text.
if yes,is it safe to assume that it would dissalow a piece code enclosed in <script> tags in the case it was passed in to it?
No, it would not. If you pass text with <script> tags into a JSON it will be placed there as is. Here is an example: « CODE » #!/usr/bin/perl use strict; use warnings; use JSON::MaybeXS qw(encode_json decode_json); my $data = { html_key => <<'EOF' }; <script type="text/language"> alert("I am running"); </script> EOF my $json = encode_json($data); print <<"EOF"; The JSON is: <<< $json
EOF
my $from_json = decode_json($json); my $html = $from_json->{html_key}; print <<"EOF"; The HTML is: [[[ $html ]]] EOF « / CODE » which gives the following output: « OUTPUT » shlomif@telaviv1:~$ perl json-roundtrip.pl The JSON is: <<< {"html_key":"<script type=\"text/language\">\nalert(\"I am running\");\n</script>\n"}
The HTML is:
[[[ <script type="text/language"> alert("I am running"); </script> ]]] shlomif@telaviv1:~$ « END OF OUTPUT »
is the Ajax call safe itself?
It depends how you do it and handle its data. You can try escaping the HTML if you are putting it into a document.
because since it uses Json should the Json also be escaped?
The JSON (in all-caps - it is not spelled "Json") will not necessarily be escaped. Regards, Shlomi Fish -- ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ What Makes Software Apps High Quality - http://shlom.in/sw-quality Chuck Norris refactors 10 million lines of Perl code before lunch. — http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/ Please reply to list if it's a mailing list post - http://shlom.in/reply .
participants (2)
-
Mike Cu -
Shlomi Fish