This a proposal only, but jsonlite::fromJSON, by default, also supports URLs as arguments and will then fetch these parsing the result instead of parsing its argument. If some limesurvey server would somehow be tricked in delivering a URL here, this could set also the API clients on risk, e.g. using CSRF.
This a proposal only, but
jsonlite::fromJSON, by default, also supports URLs as arguments and will then fetch these parsing the result instead of parsing its argument. If some limesurvey server would somehow be tricked in delivering a URL here, this could set also the API clients on risk, e.g. using CSRF.