[dancer-users] Stored XSS via AJAX

Warren Young wyml at etr-usa.com
Fri Oct 9 17:47:22 BST 2015

On Oct 9, 2015, at 10:33 AM, Amelia Ireland <aireland at lbl.gov> wrote:
> These XSS attacks are Javascript-based, which means they operate on the user's browser. Dancer runs on the server and is written in Perl, so XSS attacks written to take advantage of the Javascript 'eval' command would have no effect on your Dancer app.

Additionally, ECMAScript 5.1 and 6 added JSON.parse() specifically to avoid the need to either use eval() or hand-roll a JSON parser:


Well-written client-side libraries like jQuery use JSON.parse() if available.  jQuery doesn’t fall back on a hand-rolled parser, though, probably because it would add too much code, and would only be needed to support old browsers.  It just uses a hidden form of eval() if JSON.parse() doesn’t exist.

Therefore, security against XSS in this case depends on using a modern browser.  As noted by MDN, that means any version of Chrome, Firefox 3.5+, IE 8+, Opera 10.5+, or Safari 4+.

Notice that the only one of these that isn’t ancient by now is IE, which is why friends don’t let friends use IE. :)

More information about the dancer-users mailing list