Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
JSONResponse allows types other than dict to be serialized without an explicit opt in
See original GitHub issueChecklist
- The bug is reproducible against the latest release and/or
master. - There are no similar issues or pull requests to fix it yet.
Describe the bug
JSONResponses that are not dicts have a number of disadvantages, such as violating SOP on ES5 browsers and preventing future extension
Additional context
django does this https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/http/response.py#L579-L604
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (7 by maintainers)
Top Results From Across the Web
In order to allow non-dict objects to be serialized set the safe ...
when i trying to store message array from angular to django..it give me error like 500 internal server Eroor and In order to...
Read more >In order to allow non-dict objects to be serialized ... - Kodlogs.net
In this article we are going to discuss the JsonResponse in django and how to resolve the TypeError: In order to allow non-dict...
Read more >Serializing Django objects
Django's serialization framework provides a mechanism for “translating” Django models into other formats. Usually these other formats will be text-based and ...
Read more >PEP 691: JSON-based Simple API for Python Package Indexes
The solution to this would be to require JSON to be chosen only if its quality is strictly greater than HTML, but then...
Read more >How to Return JSON-Encoded Response for non-dict object
By default, the JsonResponse's first parameter, data, should be a dict instance. To pass any other JSON-serializable object you must set the ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I am not @graingert but I remember reading http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ and https://stackoverflow.com/questions/3503102/what-are-top-level-json-arrays-and-why-are-they-a-security-risk on that topic.
Right agreed it’s good practice! And it’s what I’d do in any real app. The only situation in which I find myself returning something else is tests. But from above it sounded like there’s issues that go deeper than good design, I wasn’t aware of them so just hoping to learn something. But it seems like indeed the main remaining reason is that it’s a footgun for users that aren’t aware of the consequences of returning a non-extensible response. In that case I agree with @tomchristie: I’m not sure I’d want that enforced on me.