I searched on Google and found an answer but it's not working for me. I have to send a list as JsonResponse in Django, similar to this:
我在Google上搜索并找到答案,但这对我不起作用。我必须在Django中发送一个名为JsonResponse的列表,类似于:
list_to_json =[{"title": "hello there",
"link": "www.domain.com",
"date": ...},
{},{},{},...]
I am converting this to JSON by applying * question1 and question2 but it's not working for me. I get the following error:
我通过应用*问题1和问题2将其转换为JSON,但它不适合我。我收到以下错误:
In order to allow non-dict objects to be serialized set the safe parameter to False
为了允许非dict对象被序列化,请将safe参数设置为False
Here's my code:
这是我的代码:
def json_response(request):
list_to_json=[{"title": ..., "link": ..., "date": ...},{...}]
return JsonResponse(json.dumps(list_to_json) )
4 个解决方案
#1
17
return JsonResponse(list_to_json, safe=False)
Take a look at the documentation:
看一下文档:
The safe boolean parameter defaults to True. If it’s set to False, any object can be passed for serialization (otherwise only dict instances are allowed). If safe is True and a non-dict object is passed as the first argument, a TypeError will be raised.
safe boolean参数默认为True。如果将其设置为False,则可以传递任何对象以进行序列化(否则仅允许dict实例)。如果safe为True且非dict对象作为第一个参数传递,则将引发TypeError。
#2
1
You have do include serializers or you can do this by using safe= False to your response data.
Like
您已经包含了序列化程序,或者您可以通过对响应数据使用safe = False来执行此操作。喜欢
return JsonResponse(list_to_json, safe=False)
#3
0
This is not a valid dictionary:
这不是一个有效的字典:
{"title": , "link" : , "date": }
because the values are missing. If you try adding the missing values instead, it works fine:
因为缺少值。如果您尝试添加缺少的值,它可以正常工作:
>>> json.dumps([{"title": "hello there", "link": "www.domain.com", "date": 2016}, {}])
'[{"link": "www.domain.com", "date": 2016, "title": "hello there"}, {}]'
#4
0
Adding this answer for anyone wondering why this isn't "safe" by default. Packing a non-dict data structure into a response makes the service vulnerable to a pre-ES5 JSON Hijacking attack.
为任何想知道为什么默认情况下这不是“安全”的人添加此答案。将非dict数据结构打包到响应中会使服务容易受到ES5之前的JSON劫持攻击。
Basically, with the JSONResponse you're using here, if a user is authenticated to your site, he can now retrieve that list of {title, link, date} objects and that's fine. However, an attacker could include that endpoint as a script source on his own malicious page (cross site script inclusion, aka XSSI):
基本上,使用您在此处使用的JSONResponse,如果用户通过您的站点进行身份验证,他现在可以检索{title,link,date}对象的列表,这很好。但是,攻击者可以将该端点作为脚本源包含在他自己的恶意页面上(跨站点脚本包含,也称为XSSI):
<script src="https://www.yourwebsite.com/secretlinks/"></script>
Then, if an unsuspecting authenticated user navigates to the malicious page, the browser will unknowingly request the array of data from your site. Since your service is just returning an unassigned array, the attacker must also poison the js Array constructor (this is the part of the attack that was fixed in ES5). Before ES5, the attacker could simply override the Array constructor like so:
然后,如果不知情的经过身份验证的用户导航到恶意页面,浏览器将在不知不觉中从您的站点请求数据阵列。由于您的服务只是返回一个未分配的数组,攻击者还必须毒害js Array构造函数(这是ES5中修复的攻击的一部分)。在ES5之前,攻击者可以简单地覆盖Array构造函数,如下所示:
Array = function() {secret = this;}
Now secret contains your list of dictionaries, and is available to the rest of the attacker's script, where he can send it off to his own server. ES5 fixed this by forcing the use of brackets to be evaluated by the default Array constructor.
现在秘密包含您的词典列表,并且可供攻击者脚本的其余部分使用,他可以将其发送到自己的服务器。 ES5通过强制使用括号来修复此问题,由默认的Array构造函数进行评估。
Why wasn't this ever an issue for dictionary objects? Simply because curly brackets in javascript denote an isolated scope, and so there's no way for the attacker to inject his own code into the scope created by the returned dictionary which is surrounded by curly brackets.
为什么这不是字典对象的问题?仅仅因为javascript中的花括号表示一个独立的范围,因此攻击者无法将自己的代码注入由返回的字典创建的范围,该范围被大括号括起来。
更多信息:https://security.stackexchange.com/questions/159609/how-is-it-possible-to-poison-javascript-array-constructor-and-how-does-ecmascrip?newreg = c70030debbca44248f54cec4cdf761bb
#1
17
return JsonResponse(list_to_json, safe=False)
Take a look at the documentation:
看一下文档:
The safe boolean parameter defaults to True. If it’s set to False, any object can be passed for serialization (otherwise only dict instances are allowed). If safe is True and a non-dict object is passed as the first argument, a TypeError will be raised.
safe boolean参数默认为True。如果将其设置为False,则可以传递任何对象以进行序列化(否则仅允许dict实例)。如果safe为True且非dict对象作为第一个参数传递,则将引发TypeError。
#2
1
You have do include serializers or you can do this by using safe= False to your response data.
Like
您已经包含了序列化程序,或者您可以通过对响应数据使用safe = False来执行此操作。喜欢
return JsonResponse(list_to_json, safe=False)
#3
0
This is not a valid dictionary:
这不是一个有效的字典:
{"title": , "link" : , "date": }
because the values are missing. If you try adding the missing values instead, it works fine:
因为缺少值。如果您尝试添加缺少的值,它可以正常工作:
>>> json.dumps([{"title": "hello there", "link": "www.domain.com", "date": 2016}, {}])
'[{"link": "www.domain.com", "date": 2016, "title": "hello there"}, {}]'
#4
0
Adding this answer for anyone wondering why this isn't "safe" by default. Packing a non-dict data structure into a response makes the service vulnerable to a pre-ES5 JSON Hijacking attack.
为任何想知道为什么默认情况下这不是“安全”的人添加此答案。将非dict数据结构打包到响应中会使服务容易受到ES5之前的JSON劫持攻击。
Basically, with the JSONResponse you're using here, if a user is authenticated to your site, he can now retrieve that list of {title, link, date} objects and that's fine. However, an attacker could include that endpoint as a script source on his own malicious page (cross site script inclusion, aka XSSI):
基本上,使用您在此处使用的JSONResponse,如果用户通过您的站点进行身份验证,他现在可以检索{title,link,date}对象的列表,这很好。但是,攻击者可以将该端点作为脚本源包含在他自己的恶意页面上(跨站点脚本包含,也称为XSSI):
<script src="https://www.yourwebsite.com/secretlinks/"></script>
Then, if an unsuspecting authenticated user navigates to the malicious page, the browser will unknowingly request the array of data from your site. Since your service is just returning an unassigned array, the attacker must also poison the js Array constructor (this is the part of the attack that was fixed in ES5). Before ES5, the attacker could simply override the Array constructor like so:
然后,如果不知情的经过身份验证的用户导航到恶意页面,浏览器将在不知不觉中从您的站点请求数据阵列。由于您的服务只是返回一个未分配的数组,攻击者还必须毒害js Array构造函数(这是ES5中修复的攻击的一部分)。在ES5之前,攻击者可以简单地覆盖Array构造函数,如下所示:
Array = function() {secret = this;}
Now secret contains your list of dictionaries, and is available to the rest of the attacker's script, where he can send it off to his own server. ES5 fixed this by forcing the use of brackets to be evaluated by the default Array constructor.
现在秘密包含您的词典列表,并且可供攻击者脚本的其余部分使用,他可以将其发送到自己的服务器。 ES5通过强制使用括号来修复此问题,由默认的Array构造函数进行评估。
Why wasn't this ever an issue for dictionary objects? Simply because curly brackets in javascript denote an isolated scope, and so there's no way for the attacker to inject his own code into the scope created by the returned dictionary which is surrounded by curly brackets.
为什么这不是字典对象的问题?仅仅因为javascript中的花括号表示一个独立的范围,因此攻击者无法将自己的代码注入由返回的字典创建的范围,该范围被大括号括起来。
更多信息:https://security.stackexchange.com/questions/159609/how-is-it-possible-to-poison-javascript-array-constructor-and-how-does-ecmascrip?newreg = c70030debbca44248f54cec4cdf761bb