From: Ben Darnell <ben@bendarnell.com>
Date: Sun, 5 Sep 2010 03:38:59 +0000 (-0700)
Subject: Document why RequestHandler.write does not convert lists to JSON.
X-Git-Tag: v1.1.0~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=93fc3d0935e11ad1056e1a4cf3826935faebb0db;p=thirdparty%2Ftornado.git

Document why RequestHandler.write does not convert lists to JSON.
---

diff --git a/tornado/web.py b/tornado/web.py
index ac2fd0edf..ee9cbd32d 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -387,6 +387,11 @@ class RequestHandler(object):
 
         If the given chunk is a dictionary, we write it as JSON and set
         the Content-Type of the response to be text/javascript.
+
+        Note that lists are not converted to JSON because of a potential
+        cross-site security vulnerability.  All JSON output should be
+        wrapped in a dictionary.  More details at
+        http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
         """
         assert not self._finished
         if isinstance(chunk, dict):