[dancer-users] Stored XSS via AJAX

Mike Cu mike_cu80 at yahoo.com
Fri Oct 9 09:53:25 BST 2015

I was reading about 

Stored XSS via AJAX on 

 Web Application Exploits and Defenses 

|   |
|   |  |   |   |   |   |   |
| Web Application Exploits and DefensesCross-Site Scripting(XSS)  |
|  |
| View on google-gruyere.apps... | Preview by Yahoo |
|  |
|   |

where it says "
Second, in the browser, Gruyere converts the JSON by usingJavascript's eval. In general, eval is verydangerous and should rarely be used. If it used, it must be used verycarefully, which is hardly the case here. We should be using the JSONparser which ensures that the string does not include any unsafecontent. The JSON parser is availableat json.org."
So I'm wondering what does Dancer do? eval or uses a parser?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.preshweb.co.uk/pipermail/dancer-users/attachments/20151009/fbb396ad/attachment.html>

More information about the dancer-users mailing list