File tree Expand file tree Collapse file tree 1 file changed +11
-0
lines changed Expand file tree Collapse file tree 1 file changed +11
-0
lines changed Original file line number Diff line number Diff line change @@ -730,6 +730,16 @@ The ``JsonResponse`` class sets the ``Content-Type`` header to
730730 Only methods that respond to GET requests are vulnerable to XSSI 'JSON Hijacking'.
731731 Methods responding to POST requests only remain unaffected.
732732
733+ .. danger ::
734+
735+ The ``JsonResponse `` constructor exhibits non-standard JSON encoding behavior
736+ and will treat ``null `` as an empty object if passed as a constructor argument,
737+ despite null being a `valid JSON top-level value `_.
738+
739+ This behavior cannot be changed without backwards-compatibility concerns, but
740+ it's possible to call ``setData `` and pass the value there to opt-out of the
741+ behavior.
742+
733743JSONP Callback
734744~~~~~~~~~~~~~~
735745
@@ -797,5 +807,6 @@ Learn More
797807.. _nginx : https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile/
798808.. _Apache : https://tn123.org/mod_xsendfile/
799809.. _`JSON Hijacking` : https://haacked.com/archive/2009/06/25/json-hijacking.aspx/
810+ .. _`valid JSON top-level value` : https://www.json.org/json-en.html
800811.. _OWASP guidelines : https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html#always-return-json-with-an-object-on-the-outside
801812.. _RFC 8674 : https://tools.ietf.org/html/rfc8674
You can’t perform that action at this time.
0 commit comments