16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
46 lines
1.4 KiB
Plaintext
46 lines
1.4 KiB
Plaintext
== Why is this an issue?
|
|
|
|
By default, only dictionary objects can be serialized in Django JSON-encoded response. Before ECMASCript 5, serializing non-dictionary objects could lead to security vulnerabilities. Since most modern browsers implement ECMAScript 5, this vector of attack is no longer a threat and it is possible to serialize non-dictionary objects by setting the `safe` flag to `False`. However, if this flag is not set, a `TypeError` will be thrown by the serializer.
|
|
|
|
Despite this possibility, it is still recommended to serialize dictionary objects, as an API based on `dict` is generally more extensible and easier to maintain.
|
|
|
|
== How to fix it
|
|
|
|
To fix this issue, developers should ensure that the safe flag is set to "False" when attempting to serialize non-dictionary objects in Django.
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,python]
|
|
----
|
|
from django.http import JsonResponse
|
|
response = JsonResponse([1, 2, 3])
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,python]
|
|
----
|
|
from django.http import JsonResponse
|
|
response = JsonResponse([1, 2, 3], safe=False)
|
|
----
|
|
|
|
== Resources
|
|
=== Documentation
|
|
https://docs.djangoproject.com/en/4.1/ref/request-response/#serializing-non-dictionary-objects[Serializing non-dictionary objects]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Use a dictionary object here, or set the "safe" flag to False.
|
|
|
|
|
|
'''
|
|
endif::env-github,rspecator-view[] |