Opened 3 weeks ago
Last modified 6 days ago
#36905 assigned Cleanup/optimization
Remove safe parameter from JsonResponse
| Reported by: | Timothy Schilling | Owned by: | Timothy Schilling |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | security |
| Cc: | Timothy Schilling, Adam Johnson | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
The JsonResponse uses the safe parameter to limit responses to only dictionary-like objects. This was to protect a security vulnerability in browsers due to ECMAScript4. Browsers that use ECMAScript4 are sufficiently old now that we can safely remove this.
This is currently mentioned as an antipattern on django-antipatterns.org, but it shouldn't be any more due to adoption of ECMAScript5 which isn't vulnerable to this exploit.
Flask did the same in 2016. Their new security message is here.
Regarding implementation, I suspect we could immediately deprecate this parameter for the next major release and follow our typical deprecation process. We should also reach out to django-antipatterns.org to have them amend that article with our new stance.
Change History (7)
comment:1 by , 3 weeks ago
| Description: | modified (diff) |
|---|
comment:2 by , 3 weeks ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 by , 3 weeks ago
| Cc: | added |
|---|
A regular deprecation seems like the right approach to me. We can add a fixer to Django-upgrade to strip the safe kwarg wherever it’s passed.
comment:4 by , 3 weeks ago
@Adam is the fixer to Django-upgrade something you think would be reasonable for a new-ish contributor to be able to figure out? I assigned this to me to hand off to a Djangonaut for the upcoming session.
comment:5 by , 3 weeks ago
Maybe! Planning to write some contribution docs there to make things a bit more comprehensible…
comment:6 by , 9 days ago
Hello @Adam @Timothy! I saw this ticket and would love to work on it if it's available. I recently worked on a similar cleanup in #36894, made the required changes, added new testcases, changed a few previous ones and also added the version changed notes in the docs.
However, I noticed you mentioned handing this off to a Djangonaut. If it's officially reserved for that session, I'll leave it be, I actually just learned about Djangonaut Space and am definitely planning to apply for a future session to learn more from experienced contributors like yourself!
Just let me know if I should take it or look for another one.
comment:7 by , 6 days ago
Hi @Praful, if this is still assigned to me and shows no activity in 2 months, feel free to reassign it to yourself.
Thanks, TIL about this history.