#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Timothy Schilling | Owner: Timothy
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: security | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Timothy Schilling:
Old description:
> The `JsonResponse` uses the `safe` parameter to limit responses to only
> dictionary-like objects. This was to protect a security vulnerability in
> browsers due to ECMAScript4. Browsers that use ECMAScript4 are
> sufficiently old now that we can safely remove this.
>
> This is currently [https://www.django-
> antipatterns.com/antipattern/return-a-jsonresponse-with-safe-false.html
> mentioned as an antipattern] on django-antipatterns.org, but it shouldn't
> be any more due to adoption of ECMAScript5 which isn't vulnerable to this
> exploit.
>
> Flask [https://github.com/pallets/flask/pull/1671 did the same in 2016].
> Their new [https://docs.djangoproject.com/en/6.0/ref/request-response
> /#jsonresponse-objects security message is here.]
>
> Regarding implementation, I suspect we could immediately deprecate this
> parameter for the next major release and follow our typical deprecation
> process. We should also reach out to django-antipatterns.org to have them
> amend that article with our new stance.
New description:
The `JsonResponse` uses the `safe` parameter to limit responses to only
dictionary-like objects. This was to protect a security vulnerability in
browsers due to ECMAScript4. Browsers that use ECMAScript4 are
sufficiently old now that we can safely remove this.
This is currently [https://www.django-
antipatterns.com/antipattern/return-a-jsonresponse-with-safe-false.html
mentioned as an antipattern] on django-antipatterns.org, but it shouldn't
be any more due to adoption of ECMAScript5 which isn't vulnerable to this
exploit.
Flask [https://github.com/pallets/flask/pull/1671 did the same in 2016].
Their new [https://flask.palletsprojects.com/en/stable/web-security/#json-
security security message is here.]
Regarding implementation, I suspect we could immediately deprecate this
parameter for the next major release and follow our typical deprecation
process. We should also reach out to django-antipatterns.org to have them
amend that article with our new stance.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019c331fad68-5cc7cde8-a636-4ac3-8ba9-ffad85fc1693-000000%40eu-central-1.amazonses.com.
