Hi all, so I ran into the issue to return a list via JSON, which turbogears doesn't let me. To my understanding the vulnerability in question only exists for GET requests - at least with any half way modern browser. So wouldn't it be more consistent to only restrict json array returns if the request was a GET and not a POST ?
The problem I have with this is using a 3rd party software which requires an array response (and no, it's not critical data so I couldn't care less if anyone stole something that's indexed on google anyways). Sure it's easy to change in tg/controllers/decoratedcontroller.py - but I rather stick to stock TG as much as possible (already have a bunch of hacks in place which makes it a pain to upgrade) Thanks Uwe -- You received this message because you are subscribed to the Google Groups "TurboGears" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/turbogears. For more options, visit https://groups.google.com/d/optout.
