Opened 4 months ago
Last modified 3 days ago
#36905 assigned Cleanup/optimization
Remove safe parameter from JsonResponse — at Version 1
| Reported by: | Tim Schilling | Owned by: | Tim Schilling |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | security |
| Cc: | Tim Schilling, Adam Johnson | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
The JsonResponse uses the safe parameter to limit responses to only dictionary-like objects. This was to protect a security vulnerability in browsers due to ECMAScript4. Browsers that use ECMAScript4 are sufficiently old now that we can safely remove this.
This is currently mentioned as an antipattern on django-antipatterns.org, but it shouldn't be any more due to adoption of ECMAScript5 which isn't vulnerable to this exploit.
Flask did the same in 2016. Their new security message is here.
Regarding implementation, I suspect we could immediately deprecate this parameter for the next major release and follow our typical deprecation process. We should also reach out to django-antipatterns.org to have them amend that article with our new stance.