[Django] #36905: Remove safe parameter from JsonResponse

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Timothy | Owner: Timothy Schilling
Schilling |
Type: | Status: assigned
Cleanup/optimization |
Component: HTTP | Version: dev
handling |
Severity: Normal | Keywords: security
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The `JsonResponse` uses the `safe` parameter to limit responses to only
dictionary-like objects. This was to protect a security vulnerability in
browsers due to ECMAScript4. Browsers that use ECMAScript4 are
sufficiently old now that we can safely remove this.

This is currently [https://www.django-
antipatterns.com/antipattern/return-a-jsonresponse-with-safe-false.html
mentioned as an antipattern] on django-antipatterns.org, but it shouldn't
be any more due to adoption of ECMAScript5 which isn't vulnerable to this
exploit.

Flask [https://github.com/pallets/flask/pull/1671 did the same in 2016].
Their new [https://docs.djangoproject.com/en/6.0/ref/request-response
/#jsonresponse-objects security message is here.]

Regarding implementation, I suspect we could immediately deprecate this
parameter for the next major release and follow our typical deprecation
process. We should also reach out to django-antipatterns.org to have them
amend that article with our new stance.
--
Ticket URL: <https://code.djangoproject.com/ticket/36905>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------

Reporter: Timothy Schilling | Owner: Timothy
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: security | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Description changed by Timothy Schilling:

Old description:

> The `JsonResponse` uses the `safe` parameter to limit responses to only
> dictionary-like objects. This was to protect a security vulnerability in
> browsers due to ECMAScript4. Browsers that use ECMAScript4 are
> sufficiently old now that we can safely remove this.
>
> This is currently [https://www.django-
> antipatterns.com/antipattern/return-a-jsonresponse-with-safe-false.html
> mentioned as an antipattern] on django-antipatterns.org, but it shouldn't
> be any more due to adoption of ECMAScript5 which isn't vulnerable to this
> exploit.
>
> Flask [https://github.com/pallets/flask/pull/1671 did the same in 2016].
> Their new [https://docs.djangoproject.com/en/6.0/ref/request-response
> /#jsonresponse-objects security message is here.]
>
> Regarding implementation, I suspect we could immediately deprecate this
> parameter for the next major release and follow our typical deprecation
> process. We should also reach out to django-antipatterns.org to have them
> amend that article with our new stance.

New description:

The `JsonResponse` uses the `safe` parameter to limit responses to only
dictionary-like objects. This was to protect a security vulnerability in
browsers due to ECMAScript4. Browsers that use ECMAScript4 are
sufficiently old now that we can safely remove this.

This is currently [https://www.django-
antipatterns.com/antipattern/return-a-jsonresponse-with-safe-false.html
mentioned as an antipattern] on django-antipatterns.org, but it shouldn't
be any more due to adoption of ECMAScript5 which isn't vulnerable to this
exploit.

Flask [https://github.com/pallets/flask/pull/1671 did the same in 2016].

Their new [https://flask.palletsprojects.com/en/stable/web-security/#json-
security security message is here.]

Regarding implementation, I suspect we could immediately deprecate this
parameter for the next major release and follow our typical deprecation
process. We should also reach out to django-antipatterns.org to have them
amend that article with our new stance.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:1>

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Timothy Schilling | Owner: Timothy
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:

Keywords: security | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Jacob Walls):

* stage: Unreviewed => Accepted

Comment:

Thanks, TIL about this history.
--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:2>

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Timothy Schilling | Owner: Timothy
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Adam Johnson):

* cc: Adam Johnson (added)

Comment:

A regular deprecation seems like the right approach to me. We can add a
fixer to Django-upgrade to strip the safe kwarg wherever it’s passed.
--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:3>

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Timothy Schilling | Owner: Timothy
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Timothy Schilling):

@Adam is the fixer to Django-upgrade something you think would be
reasonable for a new-ish contributor to be able to figure out? I assigned
this to me to hand off to a Djangonaut for the upcoming session.
--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:4>

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Timothy Schilling | Owner: Timothy
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Adam Johnson):

Maybe! Planning to write some contribution docs there to make things a bit
more comprehensible…
--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:5>

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Timothy Schilling | Owner: Timothy
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Praful Gulani):

Hello @Adam @Timothy! I saw this ticket and would love to work on it if
it's available. I recently worked on a similar cleanup in #36894, made the
required changes, added new testcases, changed a few previous ones and
also added the version changed notes in the docs.

However, I noticed you mentioned handing this off to a Djangonaut. If it's
officially reserved for that session, I'll leave it be, I actually just
learned about Djangonaut Space and am definitely planning to apply for a
future session to learn more from experienced contributors like yourself!

Just let me know if I should take it or look for another one.
--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:6>

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Timothy Schilling | Owner: Timothy
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Timothy Schilling):

Hi @Praful, if this is still assigned to me and shows no activity in 2
months, feel free to reassign it to yourself.
--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:7>

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------

Reporter: Tim Schilling | Owner: tharris72
Type: | Status: assigned
Cleanup/optimization |

Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by tharris72):

* owner: Tim Schilling => tharris72

Comment:

Picking this up at PyCon 2026 sprints.
--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:8>

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------

Reporter: Tim Schilling | Owner: Tim
Type: | Harris
Cleanup/optimization | Status: assigned

Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Tim Harris):

* has_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:9>

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Tim Schilling | Owner: Tim
Type: | Harris
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:

Keywords: security | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Jacob Walls):

* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:10>

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Tim Schilling | Owner: Tim
Type: | Harris

Cleanup/optimization | Status: closed

Component: HTTP handling | Version: dev

Severity: Normal | Resolution: fixed

Keywords: security | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Jacob Walls <jacobtylerwalls@…>):

* resolution: => fixed
* status: assigned => closed

Comment:

In [changeset:"6e15ac8066312328de279e3e072667416c205bfc" 6e15ac80]:
{{{#!CommitTicketReference repository=""
revision="6e15ac8066312328de279e3e072667416c205bfc"
Fixed #36905 -- Deprecated the safe parameter of JSONResponse.

Peer frameworks have long since dropped their analogous checks for this
vulnerability that was fixed in ES5.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:11>

[Django]

#36905: Remove safe parameter from JsonResponse
-------------------------------------+-------------------------------------
Reporter: Tim Schilling | Owner: Tim
Type: | Harris
Cleanup/optimization | Status: closed
Component: HTTP handling | Version: dev
Severity: Normal | Resolution: fixed
Keywords: security | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Jacob Walls <jacobtylerwalls@…>):

In [changeset:"b5d9dbdf2bba8df4c85cd0db308b3a467d763d02" b5d9dbdf]:
{{{#!CommitTicketReference repository=""
revision="b5d9dbdf2bba8df4c85cd0db308b3a467d763d02"
Refs #36905 -- Moved JSONResponse safe param discussion to versionchanged
box.

Follow-up to 6e15ac8066312328de279e3e072667416c205bfc.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36905#comment:12>