id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36905	Remove safe parameter from JsonResponse	Tim Schilling	Tim Schilling	"The `JsonResponse` uses the `safe` parameter to limit responses to only dictionary-like objects. This was to protect a security vulnerability in browsers due to ECMAScript4. Browsers that use ECMAScript4 are sufficiently old now that we can safely remove this.

This is currently [https://www.django-antipatterns.com/antipattern/return-a-jsonresponse-with-safe-false.html mentioned as an antipattern] on django-antipatterns.org, but it shouldn't be any more due to adoption of ECMAScript5 which isn't vulnerable to this exploit.

Flask [https://github.com/pallets/flask/pull/1671 did the same in 2016]. Their new [https://docs.djangoproject.com/en/6.0/ref/request-response/#jsonresponse-objects security message is here.]

Regarding implementation, I suspect we could immediately deprecate this parameter for the next major release and follow our typical deprecation process. We should also reach out to django-antipatterns.org to have them amend that article with our new stance."	Cleanup/optimization	assigned	HTTP handling	dev	Normal		security	Tim Schilling	Unreviewed	0	0	0	0	0	0