#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Timothy | Owner: Timothy Schilling
Schilling |
Type: | Status: assigned
Cleanup/optimization |
Component: HTTP | Version: dev
handling |
Severity: Normal | Keywords: security
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The `JsonResponse` uses the `safe` parameter to limit responses to only
dictionary-like objects. This was to protect a security vulnerability in
browsers due to ECMAScript4. Browsers that use ECMAScript4 are
sufficiently old now that we can safely remove this.
This is currently [https://www.django-
antipatterns.com/antipattern/return-a-jsonresponse-with-safe-false.html
mentioned as an antipattern] on django-antipatterns.org, but it shouldn't
be any more due to adoption of ECMAScript5 which isn't vulnerable to this
exploit.
Flask [https://github.com/pallets/flask/pull/1671 did the same in 2016].
Their new [https://docs.djangoproject.com/en/6.0/ref/request-response
/#jsonresponse-objects security message is here.]
Regarding implementation, I suspect we could immediately deprecate this
parameter for the next major release and follow our typical deprecation
process. We should also reach out to django-antipatterns.org to have them
amend that article with our new stance.
--
Ticket URL: <https://code.djangoproject.com/ticket/36905>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019c331db11e-b9ae5d4f-4751-4007-af8c-9400df96449b-000000%40eu-central-1.amazonses.com.
