[dancer-users] JSON serializer

Shlomi Fish shlomif at shlomifish.org
Sat Oct 10 09:16:23 BST 2015

Hi Mike!

Sorry for the late response. I should note that based on your questions, it
seems you are getting your concepts mixed up.

On Mon, 5 Oct 2015 21:10:45 +0000 (UTC)
Mike Cu <mike_cu80 at yahoo.com> wrote:

> Hi Shlomi,
> does the serializer internally use a Json parser ?

The JSON serialiser uses a JSON encoder. The JSON decoder parses the JSON
which is given as text.

> if yes,is it safe to
> assume that it would dissalow a piece code enclosed in <script> tags in the
> case it was passed in to it? 

No, it would not. If you pass text with <script> tags into a JSON it will be
placed there as is. Here is an example:

« CODE »

use strict;
use warnings;

use JSON::MaybeXS qw(encode_json decode_json);

my $data = { html_key => <<'EOF' };
<script type="text/language">
alert("I am running");

my $json = encode_json($data);

print <<"EOF";
The JSON is:



my $from_json = decode_json($json);

my $html = $from_json->{html_key};

print <<"EOF";
The HTML is:




« / CODE » 

which gives the following output:


shlomif at telaviv1:~$ perl json-roundtrip.pl
The JSON is:

{"html_key":"<script type=\"text/language\">\nalert(\"I am

The HTML is:

<script type="text/language">                                                   
alert("I am running");                                                          
shlomif at telaviv1:~$                                                             


> is the Ajax call safe itself? 

It depends how you do it and handle its data. You can try escaping the HTML if
you are putting it into a document. 

> because since it
> uses Json should the Json also be escaped?

The JSON (in all-caps - it is not spelled "Json") will not necessarily be


	Shlomi Fish

Shlomi Fish       http://www.shlomifish.org/
What Makes Software Apps High Quality -  http://shlom.in/sw-quality

Chuck Norris refactors 10 million lines of Perl code before lunch.
    — http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/

Please reply to list if it's a mailing list post - http://shlom.in/reply .

More information about the dancer-users mailing list