Skip to content

Commit

Permalink
Merge branch '6.4' into 7.0
Browse files Browse the repository at this point in the history
* 6.4:
  -
  Respond to "patches welcome" comment
  • Loading branch information
OskarStark committed May 16, 2024
2 parents b3b8c97 + 4e3917c commit 7507b24
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions components/http_foundation.rst
Original file line number Diff line number Diff line change
Expand Up @@ -902,6 +902,16 @@ The ``JsonResponse`` class sets the ``Content-Type`` header to
Only methods that respond to GET requests are vulnerable to XSSI 'JSON Hijacking'.
Methods responding to POST requests only remain unaffected.

.. warning::

The ``JsonResponse`` constructor exhibits non-standard JSON encoding behavior
and will treat ``null`` as an empty object if passed as a constructor argument,
despite null being a `valid JSON top-level value`_.

This behavior cannot be changed without backwards-compatibility concerns, but
it's possible to call ``setData`` and pass the value there to opt-out of the
behavior.

JSONP Callback
~~~~~~~~~~~~~~

Expand Down Expand Up @@ -994,6 +1004,7 @@ Learn More
.. _nginx: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile/
.. _Apache: https://tn123.org/mod_xsendfile/
.. _`JSON Hijacking`: https://haacked.com/archive/2009/06/25/json-hijacking.aspx/
.. _`valid JSON top-level value`: https://www.json.org/json-en.html
.. _OWASP guidelines: https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html#always-return-json-with-an-object-on-the-outside
.. _RFC 8674: https://tools.ietf.org/html/rfc8674
.. _Doctrine Batch processing: https://www.doctrine-project.org/projects/doctrine-orm/en/2.14/reference/batch-processing.html#iterating-results
Expand Down

0 comments on commit 7507b24

Please sign in to comment.