# HG changeset patch
# User Søren Løvborg <sorenl@unity3d.com>
# Date 1478527753 -3600
# Node ID 1b448d8a422ff83fe5648dabb5aa88e623e48578
# Parent  aa2542a6538b0c8f49cbfbe5fe60e4171c675e76
utils: fix broken URL in jsonify warning

Also add a note summarizing the linked concerns.

diff -r aa2542a6538b -r 1b448d8a422f kallithea/lib/utils.py
--- a/kallithea/lib/utils.py	Fri Sep 23 21:14:40 2016 +0200
+++ b/kallithea/lib/utils.py	Mon Nov 07 15:09:13 2016 +0100
@@ -718,9 +718,14 @@
     pylons.response.headers['Content-Type'] = 'application/json; charset=utf-8'
     data = func(*args, **kwargs)
     if isinstance(data, (list, tuple)):
+        # A JSON list response is syntactically valid JavaScript and can be
+        # loaded and executed as JavaScript by a malicious third-party site
+        # using <script>, which can lead to cross-site data leaks.
+        # JSON responses should therefore be scalars or objects (i.e. Python
+        # dicts), because a JSON object is a syntax error if intepreted as JS.
         msg = "JSON responses with Array envelopes are susceptible to " \
               "cross-site data leak attacks, see " \
-              "http://wiki.pylonshq.com/display/pylonsfaq/Warnings"
+              "https://web.archive.org/web/20120519231904/http://wiki.pylonshq.com/display/pylonsfaq/Warnings"
         warnings.warn(msg, Warning, 2)
         log.warning(msg)
     log.debug("Returning JSON wrapped action output")