[dancer-users] JSON serializer

Shlomi Fish shlomif at shlomifish.org
Sat Oct 10 09:16:23 BST 2015 

Hi Mike!

Sorry for the late response. I should note that based on your questions, it
seems you are getting your concepts mixed up.

On Mon, 5 Oct 2015 21:10:45 +0000 (UTC)
Mike Cu <mike_cu80 at yahoo.com> wrote:

> Hi Shlomi,
> does the serializer internally use a Json parser ?

The JSON serialiser uses a JSON encoder. The JSON decoder parses the JSON
which is given as text.

> if yes,is it safe to
> assume that it would dissalow a piece code enclosed in <script> tags in the
> case it was passed in to it? 

No, it would not. If you pass text with <script> tags into a JSON it will be
placed there as is. Here is an example:

« CODE »
#!/usr/bin/perl

use strict;
use warnings;

use JSON::MaybeXS qw(encode_json decode_json);

my $data = { html_key => <<'EOF' };
<script type="text/language">
alert("I am running");
</script>
EOF

my $json = encode_json($data);

print <<"EOF";
The JSON is:
<<<

$json

>>>
EOF

my $from_json = decode_json($json);

my $html = $from_json->{html_key};

print <<"EOF";
The HTML is:

[[[

$html

]]]
EOF

« / CODE » 

which gives the following output:

« OUTPUT »

shlomif at telaviv1:~$ perl json-roundtrip.pl
The JSON is:
<<<

{"html_key":"<script type=\"text/language\">\nalert(\"I am
running\");\n</script>\n"}

>>>
The HTML is:

[[[                                                                             
                                                                                
<script type="text/language">                                                   
alert("I am running");                                                          
</script>                                                                       
                                                                                
                                                                                
]]]                                                                             
shlomif at telaviv1:~$                                                             

« END OF OUTPUT »

> is the Ajax call safe itself? 

It depends how you do it and handle its data. You can try escaping the HTML if
you are putting it into a document. 

> because since it
> uses Json should the Json also be escaped?
> 

The JSON (in all-caps - it is not spelled "Json") will not necessarily be
escaped.

Regards,

	Shlomi Fish

-- 
-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
What Makes Software Apps High Quality -  http://shlom.in/sw-quality

Chuck Norris refactors 10 million lines of Perl code before lunch.
    — http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/

Please reply to list if it's a mailing list post - http://shlom.in/reply .

More information about the dancer-users mailing list