Opened 5 hours ago
Last modified 32 minutes ago
#36905 assigned Cleanup/optimization
Remove safe parameter from JsonResponse — at Initial Version
| Reported by: | Timothy Schilling | Owned by: | Timothy Schilling |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | security |
| Cc: | Timothy Schilling, Adam Johnson | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The JsonResponse uses the safe parameter to limit responses to only dictionary-like objects. This was to protect a security vulnerability in browsers due to ECMAScript4. Browsers that use ECMAScript4 are sufficiently old now that we can safely remove this.
This is currently mentioned as an antipattern on django-antipatterns.org, but it shouldn't be any more due to adoption of ECMAScript5 which isn't vulnerable to this exploit.
Flask did the same in 2016. Their new security message is here.
Regarding implementation, I suspect we could immediately deprecate this parameter for the next major release and follow our typical deprecation process. We should also reach out to django-antipatterns.org to have them amend that article with our new stance.