minor #19882 Document strange JsonResponse constructor behaviour (lol768)

OskarStark · OskarStark · commit 460cdd7fca9a · 2024-05-16T07:19:49.000+02:00
This PR was merged into the 5.4 branch. Discussion ---------- Document strange JsonResponse constructor behaviour Discussed on symfony/symfony#11679 Commits ------- 90fa8ca Respond to "patches welcome" comment
diff --git a/components/http_foundation.rst b/components/http_foundation.rst
@@ -729,6 +729,16 @@ The ``JsonResponse`` class sets the ``Content-Type`` header to
     Only methods that respond to GET requests are vulnerable to XSSI 'JSON Hijacking'.
     Methods responding to POST requests only remain unaffected.
 
+.. danger::
+
+    The ``JsonResponse`` constructor exhibits non-standard JSON encoding behavior
+    and will treat ``null`` as an empty object if passed as a constructor argument,
+    despite null being a `valid JSON top-level value`_.
+
+    This behavior cannot be changed without backwards-compatibility concerns, but
+    it's possible to call ``setData`` and pass the value there to opt-out of the
+    behavior.
+
 JSONP Callback
 ~~~~~~~~~~~~~~
 
@@ -832,5 +842,6 @@ Learn More
 .. _nginx: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile/
 .. _Apache: https://tn123.org/mod_xsendfile/
 .. _`JSON Hijacking`: https://haacked.com/archive/2009/06/25/json-hijacking.aspx/
+.. _`valid JSON top-level value`: https://www.json.org/json-en.html
 .. _OWASP guidelines: https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html#always-return-json-with-an-object-on-the-outside
 .. _RFC 8674: https://tools.ietf.org/html/rfc8674
