On Oct 9, 2015, at 10:33 AM, Amelia Ireland <[email protected]> wrote: > > These XSS attacks are Javascript-based, which means they operate on the > user's browser. Dancer runs on the server and is written in Perl, so XSS > attacks written to take advantage of the Javascript 'eval' command would have > no effect on your Dancer app.
Additionally, ECMAScript 5.1 and 6 added JSON.parse() specifically to avoid the need to either use eval() or hand-roll a JSON parser: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse Well-written client-side libraries like jQuery use JSON.parse() if available. jQuery doesn’t fall back on a hand-rolled parser, though, probably because it would add too much code, and would only be needed to support old browsers. It just uses a hidden form of eval() if JSON.parse() doesn’t exist. Therefore, security against XSS in this case depends on using a modern browser. As noted by MDN, that means any version of Chrome, Firefox 3.5+, IE 8+, Opera 10.5+, or Safari 4+. Notice that the only one of these that isn’t ancient by now is IE, which is why friends don’t let friends use IE. :) _______________________________________________ dancer-users mailing list [email protected] http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
