Merge branch '6.4' into 7.0

* 6.4: - Respond to "patches welcome" comment
symfony · May 16, 2024 · 7507b24 · 7507b24
2 parents b3b8c97 + 4e3917c
commit 7507b24
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/components/http_foundation.rst b/components/http_foundation.rst
@@ -902,6 +902,16 @@ The ``JsonResponse`` class sets the ``Content-Type`` header to
  Only methods that respond to GET requests are vulnerable to XSSI 'JSON Hijacking'.
  Methods responding to POST requests only remain unaffected.
 
+.. warning::
+
+ The ``JsonResponse`` constructor exhibits non-standard JSON encoding behavior
+ and will treat ``null`` as an empty object if passed as a constructor argument,
+ despite null being a `valid JSON top-level value`_.
+
+ This behavior cannot be changed without backwards-compatibility concerns, but
+ it's possible to call ``setData`` and pass the value there to opt-out of the
+ behavior.
+
 JSONP Callback
 ~~~~~~~~~~~~~~
 
@@ -994,6 +1004,7 @@ Learn More
 .. _nginx: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile/
 .. _Apache: https://tn123.org/mod_xsendfile/
 .. _`JSON Hijacking`: https://haacked.com/archive/2009/06/25/json-hijacking.aspx/
+.. _`valid JSON top-level value`: https://www.json.org/json-en.html
 .. _OWASP guidelines: https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html#always-return-json-with-an-object-on-the-outside
 .. _RFC 8674: https://tools.ietf.org/html/rfc8674
 .. _Doctrine Batch processing: https://www.doctrine-project.org/projects/doctrine-orm/en/2.14/reference/batch-processing.html#iterating-results