From 04f2bbcb15bd7b3accd8e0820b83df1b2207aa24 Mon Sep 17 00:00:00 2001
From: Armin Ronacher <armin.ronacher@active-4.com>
Date: Mon, 20 Jun 2011 08:27:23 +0200
Subject: [PATCH] Updated JSON docs

---
 docs/security.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/security.rst b/docs/security.rst
index 35afd49e..07a5b942 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -95,6 +95,13 @@ the form validation framework, which does not exist in Flask.
 JSON Security
 -------------
 
+.. admonition:: ECMAScript 5 Changes
+
+   Starting with ECMAScript 5 the behavior of literals changed.  Now they
+   are not constructed with the constructor of ``Array`` and others, but
+   with the builtin constructor of ``Array`` which closes this particular
+   attack vector.
+
 JSON itself is a high-level serialization format, so there is barely
 anything that could cause security problems, right?  You can't declare
 recursive structures that could cause problems and the only thing that