From b5d9dbdf2bba8df4c85cd0db308b3a467d763d02 Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Mon, 1 Jun 2026 10:38:44 -0400
Subject: Refs #36905 -- Moved JSONResponse safe param discussion to
 versionchanged box.

Follow-up to 6e15ac8066312328de279e3e072667416c205bfc.
---
 django/http/response.py       |  4 +---
 docs/ref/request-response.txt | 23 ++++++-----------------
 2 files changed, 7 insertions(+), 20 deletions(-)

diff --git a/django/http/response.py b/django/http/response.py
index dbefb17359..fe267f700f 100644
--- a/django/http/response.py
+++ b/django/http/response.py
@@ -747,9 +747,7 @@ class JsonResponse(HttpResponse):
     """
     An HTTP response class that consumes data to be serialized to JSON.
 
-    :param data: Data to be dumped into json. By default only ``dict`` objects
-      are allowed to be passed due to a security flaw before ECMAScript 5. See
-      the ``safe`` parameter for more information.
+    :param data: Data to be dumped into json.
     :param encoder: Should be a json encoder class. Defaults to
       ``django.core.serializers.json.DjangoJSONEncoder``.
     :param safe: Controls if only ``dict`` objects may be serialized. Defaults
diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt
index 1ca5cb0c78..9ab3127df0 100644
--- a/docs/ref/request-response.txt
+++ b/docs/ref/request-response.txt
@@ -1267,32 +1267,21 @@ Typical usage could look like:
 Serializing non-dictionary objects
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-In order to serialize objects other than ``dict`` you must set the ``safe``
-parameter to ``False``:
+Objects other than ``dict`` can be serialized:
 
 .. code-block:: pycon
 
-    >>> response = JsonResponse([1, 2, 3], safe=False)
-
-Without passing ``safe=False``, a :exc:`TypeError` will be raised.
+    >>> response = JsonResponse([1, 2, 3])
 
 Note that an API based on ``dict`` objects is more extensible, flexible, and
 makes it easier to maintain forwards compatibility. Therefore, you should avoid
-using non-dict objects in JSON-encoded response.
-
-.. warning::
-
-    Before the `5th edition of ECMAScript
-    <https://262.ecma-international.org/5.1/#sec-11.1.4>`_ it was possible to
-    poison the JavaScript ``Array`` constructor. For this reason, Django does
-    not allow passing non-dict objects to the
-    :class:`~django.http.JsonResponse` constructor by default. However, most
-    modern browsers implement ECMAScript 5 which removes this attack vector.
-    Therefore it is possible to disable this security precaution.
+using non-dict objects in JSON-encoded responses.
 
 .. versionchanged:: 6.2
 
-    In earlier versions, the ``safe`` parameter defaulted to ``True``.
+    In earlier versions, it was necessary to pass ``safe=False`` to serialize
+    other objects besides dictionaries, as the (now deprecated) ``safe``
+    parameter defaulted to ``True``, raising :exc:`TypeError`.
 
 .. deprecated:: 6.2
 
-- 
cgit v1.3