Changes between Initial Version and Version 1 of Ticket #36905
- Timestamp:
- Feb 6, 2026, 7:23:59 AM (3 hours ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #36905 – Description
initial v1 3 3 This is currently [https://www.django-antipatterns.com/antipattern/return-a-jsonresponse-with-safe-false.html mentioned as an antipattern] on django-antipatterns.org, but it shouldn't be any more due to adoption of ECMAScript5 which isn't vulnerable to this exploit. 4 4 5 Flask [https://github.com/pallets/flask/pull/1671 did the same in 2016]. Their new [https:// docs.djangoproject.com/en/6.0/ref/request-response/#jsonresponse-objectssecurity message is here.]5 Flask [https://github.com/pallets/flask/pull/1671 did the same in 2016]. Their new [https://flask.palletsprojects.com/en/stable/web-security/#json-security security message is here.] 6 6 7 7 Regarding implementation, I suspect we could immediately deprecate this parameter for the next major release and follow our typical deprecation process. We should also reach out to django-antipatterns.org to have them amend that article with our new stance.