On 11.07.2011, at 12:24, Jordi Boggiano wrote:
> On 08.07.2011 00:14, Lukas Kahwe Smith wrote:
>> $article = new Article();
>> $this->templating->render($template, $article);
>>
>> would allow for
>> {{ params.title }}
>
> That's alright, although not so common, array('article'=>$article) would
> be more usual imo.
what do you mean with "usual"?
the point was that having to manually define the variable name by wrapping
thing into an assoc array is ugly.
>> array(new Article(), new Article());
>> $this->templating->render($template, $articles);
>>
>> would allow for
>> {{ params[0].title }}
>
> That's not alright at all, you should never have an array on the top
> level of a json response, because it opens your API to potential CSRF
> attacks [1].
>
> This should be array('articles' => $articles).
>
> I don't think we should facilitate insecure practices.
>
> [1] http://flask.pocoo.org/docs/security/#json-security
ah, i wasnt aware of this. will ponder what this means.
btw: for xml we need to always wrap since there can only be one root element.
one issue is of course that via normalizers in the Serializer used by the
FOSRestBundle an object may be turned into an associative array.
but i guess i will just revert those changes i did today.
regards,
Lukas Kahwe Smith
m...@pooteeweet.org
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to symfony-devs@googlegroups.com
To unsubscribe from this group, send email to
symfony-devs+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
