JSON returning list

19 views
Skip to first unread message

Uwe Schroeder

unread,
Jul 26, 2016, 9:52:43 PM7/26/16
to TurboGears

Hi all,

so I ran into the issue to return a list via JSON, which turbogears doesn't let me. To my understanding the vulnerability in question only exists for GET requests – at least with any half way modern browser. So wouldn't it be more consistent to only restrict json array returns if the request was a GET and not a POST ?

The problem I have with this is using a 3rd party software which requires an array response (and no, it's not critical data so I couldn't care less if anyone stole something that's indexed on google anyways).

Sure it's easy to change in tg/controllers/decoratedcontroller.py – but I rather stick to stock TG as much as possible (already have a bunch of hacks in place which makes it a pain to upgrade)

Thanks

Uwe

Alessandro Molina

unread,
Jul 27, 2016, 10:56:14 AM7/27/16
to TurboGears

--
You received this message because you are subscribed to the Google Groups "TurboGears" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turbogears+...@googlegroups.com.
To post to this group, send email to turbo...@googlegroups.com.
Visit this group at https://groups.google.com/group/turbogears.
For more options, visit https://groups.google.com/d/optout.

Alessandro Molina

unread,
Jul 28, 2016, 8:24:49 AM7/28/16
to Uwe, TurboGears


On Wed, Jul 27, 2016 at 6:08 PM, Uwe <u...@bunspace.com> wrote:

Alessandro, I should have mentioned that I did try that config setting. But guess what:

The response has to be a dict or a string or you see other errors pop up because code down the chain expects a dict. 

Ah yeah, sorry, I through you were blocked on the JSON encoder.
Yes, by design TurboGears actions can only return strings or dicts, in all cases.

What you want to achieve can be done by returning the result of tg.json_encode:

@expose('json')
def action(self):
   return tg.json_encode([1,2,3])

That will use the turbogears json encoder to create the json and if you provided the json.allow_lists = True option it will properly send the encoded array.

Alessandro Molina

unread,
Jul 29, 2016, 9:12:10 AM7/29/16
to Uwe, TurboGears
Just take note that the regular json encoder won't be able to encode query results, dates, mongodb objects and a few other things. While the tg.json_encode function is the same exact function used by @expose('json')


On Fri, Jul 29, 2016 at 12:43 AM, Uwe <u...@bunspace.com> wrote:

Thanks! I have set the allow_lists config option which is probably why using the regular json module works just the same as your solution.

Uwe


Reply all
Reply to author
Forward
0 new messages