From: Ben Darnell <ben@bendarnell.com>
Date: Sat, 15 Mar 2014 04:50:25 +0000 (-0400)
Subject: Update links for comments about json list output.
X-Git-Tag: v4.0.0b1~102
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ff47bb4869212818ef2822256f70ef8b46e0b55;p=thirdparty%2Ftornado.git

Update links for comments about json list output.

The vulnerability in the older link affects only ancient browsers,
but there are other issues that are more recent.

Fixes #1009.
---

diff --git a/tornado/web.py b/tornado/web.py
index 2d9908055..e2ef7eef4 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -598,7 +598,8 @@ class RequestHandler(object):
         Note that lists are not converted to JSON because of a potential
         cross-site security vulnerability.  All JSON output should be
         wrapped in a dictionary.  More details at
-        http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
+        http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ and
+        https://github.com/facebook/tornado/issues/1009
         """
         if self._finished:
             raise RuntimeError("Cannot write() after finish().  May be caused "