Update links for comments about json list output.

The vulnerability in the older link affects only ancient browsers,
but there are other issues that are more recent.

Fixes #1009.

diff --git a/tornado/web.py b/tornado/web.py
index 2d9908055914c00f2531916fb657b42942e8715f..e2ef7eef4dc0aa5db70b8fcca4ec4aa31e508a60 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -598,7 +598,8 @@ class RequestHandler(object):
         Note that lists are not converted to JSON because of a potential
         cross-site security vulnerability.  All JSON output should be
         wrapped in a dictionary.  More details at
-        http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
+        http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ and
+        https://github.com/facebook/tornado/issues/1009
         """
         if self._finished:
             raise RuntimeError("Cannot write() after finish().  May be caused "