1

How to add dict a to response and how can I get two objects at the ajax?

view

def abc(request):
    cp = Cp.objects.get(id=1)
    cp = serializers.serialize('json', [cp,])
    cp = json.loads(cp)

    a = {'a': 'a', 'b': 'b'}

    return HttpResponse(data)

js

$.ajax({
    //
    success: function(data){
    }    
})
unknown
  • 252
  • 3
  • 12
  • 37
  • The ajax should not be expected to return multiple objects. It should be expected to return one object, or an array of objects. "An array" being a single top level element. Returning `"{..stuff...},{...stuff...}"` is not valid json without breaking them apart before parsing them – Taplar Jul 18 '19 at 14:25
  • 1
    `return JsonResponse({'cp': cp, 'a': a})`? – Willem Van Onsem Jul 18 '19 at 14:26
  • 1
    @Taplar: please do not use a top level list, this is a known security vulnerability: https://blog.jeremiahgrossman.com/2006/01/advanced-web-attack-techniques-using.html This is actually one of the reasons that a `JsonResponse` will refuse to serialize a top level list, unless you specify `safe=False`. – Willem Van Onsem Jul 18 '19 at 14:28
  • 1
    @WillemVanOnsem what exactly is the security concern with returning a json array? – Taplar Jul 18 '19 at 14:32
  • @Taplar: malware can override the `Array` function, and thus spy on the result that is returned. – Willem Van Onsem Jul 18 '19 at 14:34
  • 1
    Malware can do lots of stuff. That doesn't mean you shouldn't use logic. If you have an api endpoint that performs a search, the logical way to return the multiple results is a json array. – Taplar Jul 18 '19 at 14:36
  • @Taplar: we are just talking about a JavaScript script that thus can "hack" into responses of another party. So it has not much to do with infecting the machine first. – Willem Van Onsem Jul 18 '19 at 14:45
  • What's to stop malware from overriding `Object`? – Taplar Jul 18 '19 at 14:46
  • @Taplar: because there is a small piculiarity: a list is a valid JavaScript script that can run, an object on the other hand, not. See [here](https://stackoverflow.com/q/43717574/67579), [here](https://stackoverflow.com/q/3503102/67579), [here](http://incompleteness.me/blog/2007/03/05/json-is-not-as-safe-as-people-think-it-is/), and [here](https://johnresig.com/blog/re-securing-json/). The discovery resulted in a lot of frameworks taking countermeasures against top level arrays, including Django, but tornado as well: https://github.com/tornadoweb/tornado/issues/1009 – Willem Van Onsem Jul 18 '19 at 14:49
  • The interesting thing is that, after the discovery in 2006 it has been patched. But it turned out to be insufficient, since there were still related leaks in 2008, 2011, and 2012. I think therefore a lot of developers simply do not "trust" the patches, and use a "better be safe than sorry" approach. – Willem Van Onsem Jul 18 '19 at 14:52

1 Answers1

2

Thnx @WillemVanOnsem for help

views

def abc(request):
    cp = serializers.serialize('json', [cp,])
    cp = json.loads(cp)
    cp = json.dumps(cp)
    other = {'rate': float(rate), 'eair': float(eair), 'overpayment': overpayment, 'total_payment': round(total_payment), 'monthly_payment':round(monthly_payment)}
    return JsonResponse({'cp': cp, 'other': other})

js

  $.ajax({
    //
    success: function(data) {
      var cp_json = JSON.parse(data.cp);
      var other = data.other;
      var credit_payment = cp_json[0].fields;
      $('.rate').html(credit_payment.rate + '%')
    }
  })
unknown
  • 252
  • 3
  • 12
  • 37