Document why RequestHandler.write does not convert lists to JSON.

author Ben Darnell <ben@bendarnell.com>

Sun, 5 Sep 2010 03:38:59 +0000 (20:38 -0700)

committer Ben Darnell <ben@bendarnell.com>

Sun, 5 Sep 2010 03:38:59 +0000 (20:38 -0700)
author Ben Darnell <ben@bendarnell.com>
Sun, 5 Sep 2010 03:38:59 +0000 (20:38 -0700)
committer Ben Darnell <ben@bendarnell.com>
Sun, 5 Sep 2010 03:38:59 +0000 (20:38 -0700)
diff --git a/tornado/web.py b/tornado/web.py

index ac2fd0edf1c92659864ec9150a997634c6b2db5f..ee9cbd32d4684edd5a6cfe313f600297b3e40595 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -387,6 +387,11 @@ class RequestHandler(object):
  
          If the given chunk is a dictionary, we write it as JSON and set
          the Content-Type of the response to be text/javascript.
+
+        Note that lists are not converted to JSON because of a potential
+        cross-site security vulnerability.  All JSON output should be
+        wrapped in a dictionary.  More details at
+        http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
          """
          assert not self._finished
          if isinstance(chunk, dict):
author	Ben Darnell <ben@bendarnell.com>
	Sun, 5 Sep 2010 03:38:59 +0000 (20:38 -0700)
committer	Ben Darnell <ben@bendarnell.com>
	Sun, 5 Sep 2010 03:38:59 +0000 (20:38 -0700)