#2373: @expose('json') won't return lists
----------------------------+-----------------------------------------------
Reporter: seedifferently | Owner:
Type: defect | Status: reopened
Priority: normal | Milestone: 2.1a2
Component: TurboGears | Version: 2.1a1
Severity: normal | Resolution:
Keywords: |
----------------------------+-----------------------------------------------
Comment (by percious):
The reason we don't want to return lists from a controller object:
http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-
vulnerability.aspx
Also, anything that was not dict-like was formerly not being sent to the
json renderer anyway, but this left us open to attack still because if you
put a rendered list in the return object, it still rendered as a string,
which still leaves you open to CRSF.
All this is fixed now.
--
Ticket URL: <http://trac.turbogears.org/ticket/2373#comment:5>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
