[dancer-users] JSON serializer

Mike Cu mike_cu80 at yahoo.com
Mon Oct 5 22:10:45 BST 2015

Hi Shlomi,
does the serializer internally use a Json parser ? if yes,is it safe to assume that it would dissalow a piece code enclosed in <script> tags in the case it was passed in to it? 
is the Ajax call safe itself? because since it uses Json should the Json also be escaped?


     On Monday, October 5, 2015 2:55 PM, Shlomi Fish <shlomif at shlomifish.org> wrote:

 Hi Mike,

see below for my response.

On Mon, 5 Oct 2015 06:22:11 +0000 (UTC)
Mike Cu <mike_cu80 at yahoo.com> wrote:

> I have an Ajax call like :
> $( "#City" ).selectmenu({
>                          select: function( event, ui ) {
>                          $.ajax({     url: '/cities',
>                          type: "POST",
>                          data: {'City':$("#City"
> ).val()}}).success(function(data){ $("#display").html(data);});
>                      },
>   });

Your indentation in this excerpt of JavaScript code is bad. Please fix it, see:


> does the default JSON serializer escape the data to prevent XSS, or should I
> escape it manually? 

The JSON serialiser should in general pass the text passed to it as is. As a
result, you should make sure to explictly escape it somewhere else (e.g: when
passing the data to the .html ( ... ) call).

And it's good that you make use of jQuery.

    -- Shlomi

Shlomi Fish      http://www.shlomifish.org/
My Favourite FOSS - http://www.shlomifish.org/open-source/favourite/

Chuck Norris is the greatest man in history. He killed all the great men who
could ever pose a competition.
    — http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/

Please reply to list if it's a mailing list post - http://shlom.in/reply .
dancer-users mailing list
dancer-users at dancer.pm

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.preshweb.co.uk/pipermail/dancer-users/attachments/20151005/2937e925/attachment.html>

More information about the dancer-users mailing list