On 08.07.2011 00:14, Lukas Kahwe Smith wrote:
> $article = new Article();
> $this->templating->render($template, $article);
>
> would allow for
> {{ params.title }}
That's alright, although not so common, array('article'=>$article) would
be more usual imo.
> array(new Article(), new Article());
> $this->templating->render($template, $articles);
>
> would allow for
> {{ params[0].title }}
That's not alright at all, you should never have an array on the top
level of a json response, because it opens your API to potential CSRF
attacks [1].
This should be array('articles' => $articles).
I don't think we should facilitate insecure practices.
[1] http://flask.pocoo.org/docs/security/#json-security
Cheers
--
Jordi Boggiano
@seldaek - http://nelm.io/jordi
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
