Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2034 (closed enhancement: wontfix)

Opened 11 years ago

Last modified 10 years ago

json array support

Reported by: j_king Owned by: mramm
Priority: normal Milestone: 2.0b1
Component: TurboJson Version: 1.9.x
Severity: normal Keywords: json, turbojson
Cc:

Description

 paste

Using recent easy_install of Turbogears2 on Python 2.5 and Python 2.6

Change History

comment:1 Changed 11 years ago by faide

did you try to reproduce the comportement outside an exposed controller?

comment:2 Changed 11 years ago by chrisz

  • Type changed from defect to enhancement
  • Severity changed from major to normal

Please specify a TG version for this ticket.

This is not a bug. Output that you want to be rendered by a templating engine (including JSON) must be returned as a dictionary. If you return a sequence, as in your case, TG 1.x lets CherryPy? concatenate its items as strings, resulting in an error message here. You get a I don't know what TG 2.x does or is supposed to do with a sequence.

We may consider to send lists to the templating engine if the format parameter is set to "json". This would allow us to return JSON lists on the top level. This would require changes in turbogears.controllers and also in turbojson. Or maybe better, we should print a proper error message or warning, because JSON lists on the top level are known to be a security issue.

comment:3 Changed 11 years ago by j_king

TurboGears2-1.9.7b1

Sorry if I filed it wrong.

I'm just going by the spec which says that JSON arrays are valid JSON --  http://www.json.org/

There may be JSON/Javascript toolkits (such as Dojo 1.2) which might use JSON arrays.

Do you have a link to the security flaw?

comment:4 follow-up: ↓ 5 Changed 11 years ago by chrisz

  • Version set to 1.9.x

Ok, I've set the version to 1.9.x.

Note that what you're doing is not the documented usage of passing dictionaries to templating engines. That's why I categorized it as an enhancement request, not a bug. But I agree that TG should either render top-level arrays or give an appropriate warning/error message.

Here are two links discussing the security concerns I had in mind:

comment:5 in reply to: ↑ 4 Changed 11 years ago by j_king

Replying to chrisz:

Ok, I've set the version to 1.9.x.

Note that what you're doing is not the documented usage of passing dictionaries to templating engines. That's why I categorized it as an enhancement request, not a bug. But I agree that TG should either render top-level arrays or give an appropriate warning/error message.

Here are two links discussing the security concerns I had in mind:

Great thanks!

comment:6 Changed 10 years ago by mramm

  • Owner changed from chrisz to mramm
  • Milestone changed from 2.0 to 2.0b1

What error message is returned, we should not allow lists of arbitrary data to be returned from the controller, but it may not be worth testing that all elements of the array are strings just to throw a better error (for one thing that breaks the use of generators to return large responses incrementally).

So, I'm tempted to just mark this as wontfix, any objections?

comment:7 Changed 10 years ago by mramm

  • Status changed from new to closed
  • Resolution set to wontfix
Note: See TracTickets for help on using tickets.