[dancer-users] Stored XSS via AJAX
Mike Cu
mike_cu80 at yahoo.com
Fri Oct 9 09:53:25 BST 2015
I was reading about
Stored XSS via AJAX on
Web Application Exploits and Defenses
| |
| | | | | | | |
| Web Application Exploits and DefensesCross-Site Scripting(XSS) |
| |
| View on google-gruyere.apps... | Preview by Yahoo |
| |
| |
where it says "
Second, in the browser, Gruyere converts the JSON by usingJavascript's eval. In general, eval is verydangerous and should rarely be used. If it used, it must be used verycarefully, which is hardly the case here. We should be using the JSONparser which ensures that the string does not include any unsafecontent. The JSON parser is availableat json.org."
So I'm wondering what does Dancer do? eval or uses a parser?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.preshweb.co.uk/pipermail/dancer-users/attachments/20151009/fbb396ad/attachment.html>
More information about the dancer-users
mailing list