[dancer-users] JSON serializer
Shlomi Fish
shlomif at shlomifish.org
Sat Oct 10 09:16:23 BST 2015
Hi Mike!
Sorry for the late response. I should note that based on your questions, it
seems you are getting your concepts mixed up.
On Mon, 5 Oct 2015 21:10:45 +0000 (UTC)
Mike Cu <mike_cu80 at yahoo.com> wrote:
> Hi Shlomi,
> does the serializer internally use a Json parser ?
The JSON serialiser uses a JSON encoder. The JSON decoder parses the JSON
which is given as text.
> if yes,is it safe to
> assume that it would dissalow a piece code enclosed in <script> tags in the
> case it was passed in to it?
No, it would not. If you pass text with <script> tags into a JSON it will be
placed there as is. Here is an example:
« CODE »
#!/usr/bin/perl
use strict;
use warnings;
use JSON::MaybeXS qw(encode_json decode_json);
my $data = { html_key => <<'EOF' };
<script type="text/language">
alert("I am running");
</script>
EOF
my $json = encode_json($data);
print <<"EOF";
The JSON is:
<<<
$json
>>>
EOF
my $from_json = decode_json($json);
my $html = $from_json->{html_key};
print <<"EOF";
The HTML is:
[[[
$html
]]]
EOF
« / CODE »
which gives the following output:
« OUTPUT »
shlomif at telaviv1:~$ perl json-roundtrip.pl
The JSON is:
<<<
{"html_key":"<script type=\"text/language\">\nalert(\"I am
running\");\n</script>\n"}
>>>
The HTML is:
[[[
<script type="text/language">
alert("I am running");
</script>
]]]
shlomif at telaviv1:~$
« END OF OUTPUT »
> is the Ajax call safe itself?
It depends how you do it and handle its data. You can try escaping the HTML if
you are putting it into a document.
> because since it
> uses Json should the Json also be escaped?
>
The JSON (in all-caps - it is not spelled "Json") will not necessarily be
escaped.
Regards,
Shlomi Fish
--
-----------------------------------------------------------------
Shlomi Fish http://www.shlomifish.org/
What Makes Software Apps High Quality - http://shlom.in/sw-quality
Chuck Norris refactors 10 million lines of Perl code before lunch.
— http://www.shlomifish.org/humour/bits/facts/Chuck-Norris/
Please reply to list if it's a mailing list post - http://shlom.in/reply .
More information about the dancer-users
mailing list