Merge branch '7.0' into 7.1

* 7.0: - Respond to "patches welcome" comment
symfony · May 16, 2024 · 442e506 · 442e506
2 parents ee2364e + 7507b24
commit 442e506
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/components/http_foundation.rst b/components/http_foundation.rst
@@ -925,6 +925,16 @@ The ``JsonResponse`` class sets the ``Content-Type`` header to
  Only methods that respond to GET requests are vulnerable to XSSI 'JSON Hijacking'.
  Methods responding to POST requests only remain unaffected.
 
+.. warning::
+
+ The ``JsonResponse`` constructor exhibits non-standard JSON encoding behavior
+ and will treat ``null`` as an empty object if passed as a constructor argument,
+ despite null being a `valid JSON top-level value`_.
+
+ This behavior cannot be changed without backwards-compatibility concerns, but
+ it's possible to call ``setData`` and pass the value there to opt-out of the
+ behavior.
+
 JSONP Callback
 ~~~~~~~~~~~~~~
 
@@ -1017,6 +1027,7 @@ Learn More
 .. _nginx: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile/
 .. _Apache: https://tn123.org/mod_xsendfile/
 .. _`JSON Hijacking`: https://haacked.com/archive/2009/06/25/json-hijacking.aspx/
+.. _`valid JSON top-level value`: https://www.json.org/json-en.html
 .. _OWASP guidelines: https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html#always-return-json-with-an-object-on-the-outside
 .. _RFC 8674: https://tools.ietf.org/html/rfc8674
 .. _Doctrine Batch processing: https://www.doctrine-project.org/projects/doctrine-orm/en/2.14/reference/batch-processing.html#iterating-results