[dancer-users] Stored XSS via AJAX
wyml at etr-usa.com
Fri Oct 9 17:47:22 BST 2015
On Oct 9, 2015, at 10:33 AM, Amelia Ireland <aireland at lbl.gov> wrote:
Additionally, ECMAScript 5.1 and 6 added JSON.parse() specifically to avoid the need to either use eval() or hand-roll a JSON parser:
Well-written client-side libraries like jQuery use JSON.parse() if available. jQuery doesn’t fall back on a hand-rolled parser, though, probably because it would add too much code, and would only be needed to support old browsers. It just uses a hidden form of eval() if JSON.parse() doesn’t exist.
Therefore, security against XSS in this case depends on using a modern browser. As noted by MDN, that means any version of Chrome, Firefox 3.5+, IE 8+, Opera 10.5+, or Safari 4+.
Notice that the only one of these that isn’t ancient by now is IE, which is why friends don’t let friends use IE. :)
More information about the dancer-users