[dancer-users] Stored XSS via AJAX
Warren Young
wyml at etr-usa.com
Fri Oct 9 17:47:22 BST 2015
On Oct 9, 2015, at 10:33 AM, Amelia Ireland <aireland at lbl.gov> wrote:
>
> These XSS attacks are Javascript-based, which means they operate on the user's browser. Dancer runs on the server and is written in Perl, so XSS attacks written to take advantage of the Javascript 'eval' command would have no effect on your Dancer app.
Additionally, ECMAScript 5.1 and 6 added JSON.parse() specifically to avoid the need to either use eval() or hand-roll a JSON parser:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse
Well-written client-side libraries like jQuery use JSON.parse() if available. jQuery doesn’t fall back on a hand-rolled parser, though, probably because it would add too much code, and would only be needed to support old browsers. It just uses a hidden form of eval() if JSON.parse() doesn’t exist.
Therefore, security against XSS in this case depends on using a modern browser. As noted by MDN, that means any version of Chrome, Firefox 3.5+, IE 8+, Opera 10.5+, or Safari 4+.
Notice that the only one of these that isn’t ancient by now is IE, which is why friends don’t let friends use IE. :)
More information about the dancer-users
mailing list