Add json prefix to prevent script tag csrf attack

[FranzPoize]

According to http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx it is possible to attack a json response by transforming it into jsonp.

Adding a prefix like suggested in http://docs.angularjs.org/api/ng.$http (JSON Vulnerability Protection).

I did it in my fork 3d73cf6 in the class serializer, but maybe it would be good to do it in the JsonSerializationVisitor.

[marcospassos]

Seems a good addition.

[stof]

The issue is that your return value is not JSON anymore. So if you put the prefix, you have to change the content-type of your response to avoid lying, and client code must be aware that the prefix needs to be stripped to retrieve the JSON. So a JSON visitor should not do it by default.

FYI, the PR implementing it for Symfony uses text/javascript) for prefixed responses (which is also what Google uses)

[stof]

Thus, if you always return an object in your response rather than an array, you are not affected by the vulnerability, as mentionned in the blog post.

[schmittjoh]

I think this is outside the scope of the serializer.