diff options
| -rw-r--r-- | django/http/response.py | 4 | ||||
| -rw-r--r-- | docs/ref/request-response.txt | 23 |
2 files changed, 7 insertions, 20 deletions
diff --git a/django/http/response.py b/django/http/response.py index dbefb17359..fe267f700f 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -747,9 +747,7 @@ class JsonResponse(HttpResponse): """ An HTTP response class that consumes data to be serialized to JSON. - :param data: Data to be dumped into json. By default only ``dict`` objects - are allowed to be passed due to a security flaw before ECMAScript 5. See - the ``safe`` parameter for more information. + :param data: Data to be dumped into json. :param encoder: Should be a json encoder class. Defaults to ``django.core.serializers.json.DjangoJSONEncoder``. :param safe: Controls if only ``dict`` objects may be serialized. Defaults diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt index 1ca5cb0c78..9ab3127df0 100644 --- a/docs/ref/request-response.txt +++ b/docs/ref/request-response.txt @@ -1267,32 +1267,21 @@ Typical usage could look like: Serializing non-dictionary objects ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -In order to serialize objects other than ``dict`` you must set the ``safe`` -parameter to ``False``: +Objects other than ``dict`` can be serialized: .. code-block:: pycon - >>> response = JsonResponse([1, 2, 3], safe=False) - -Without passing ``safe=False``, a :exc:`TypeError` will be raised. + >>> response = JsonResponse([1, 2, 3]) Note that an API based on ``dict`` objects is more extensible, flexible, and makes it easier to maintain forwards compatibility. Therefore, you should avoid -using non-dict objects in JSON-encoded response. - -.. warning:: - - Before the `5th edition of ECMAScript - <https://262.ecma-international.org/5.1/#sec-11.1.4>`_ it was possible to - poison the JavaScript ``Array`` constructor. For this reason, Django does - not allow passing non-dict objects to the - :class:`~django.http.JsonResponse` constructor by default. However, most - modern browsers implement ECMAScript 5 which removes this attack vector. - Therefore it is possible to disable this security precaution. +using non-dict objects in JSON-encoded responses. .. versionchanged:: 6.2 - In earlier versions, the ``safe`` parameter defaulted to ``True``. + In earlier versions, it was necessary to pass ``safe=False`` to serialize + other objects besides dictionaries, as the (now deprecated) ``safe`` + parameter defaulted to ``True``, raising :exc:`TypeError`. .. deprecated:: 6.2 |