From 4ff47bb4869212818ef2822256f70ef8b46e0b55 Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Sat, 15 Mar 2014 00:50:25 -0400
Subject: [PATCH] Update links for comments about json list output.

The vulnerability in the older link affects only ancient browsers,
but there are other issues that are more recent.

Fixes #1009.
---
 tornado/web.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tornado/web.py b/tornado/web.py
index 2d9908055..e2ef7eef4 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -598,7 +598,8 @@ class RequestHandler(object):
         Note that lists are not converted to JSON because of a potential
         cross-site security vulnerability.  All JSON output should be
         wrapped in a dictionary.  More details at
-        http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
+        http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ and
+        https://github.com/facebook/tornado/issues/1009
         """
         if self._finished:
             raise RuntimeError("Cannot write() after finish().  May be caused "
-- 
2.47.2