If JSON parsing fails it now issues a BadRequest exception.

CHANGES

@@ -14,7 +14,7 @@ Relase date to be decided, codename to be chosen.
 - Empty session cookies are now deleted properly automatically.
 - View functions can now opt out of getting the automatic
   OPTIONS implementation.
-- HTTP exceptions and Bad Request Key Errors can now be trapped so that they
+- HTTP exceptions and Bad Request errors can now be trapped so that they
   show up normally in the traceback.
 - Flask in debug mode is now detecting some common problems and tries to
   warn you about them.
@@ -23,6 +23,9 @@ Relase date to be decided, codename to be chosen.
   feedback when users forget to import view code ahead of time.
 - Added the ability to register callbacks that are only triggered once at
   the beginning of the first request. (:meth:`Flask.before_first_request`)
+- Malformed JSON data will now trigger a bad request HTTP exception instead
+  of a value error which usually would result in a 500 internal server
+  error if not handled.  This is a backwards incompatible change.
 
 Version 0.7.3
 -------------

docs/upgrading.rst

@@ -29,6 +29,13 @@ object.  With that introduction we moved the implementation details for
 the session system into a new module called :mod:`flask.sessions`.  If you
 used the previously undocumented session support we urge you to upgrade.
 
+If invalid JSON data was submitted Flask will now raise a
+:exc:`~werkzeug.exceptions.BadRequest` exception instead of letting the
+default :exc:`ValueError` bubble up.  This has the advantage that you no
+longer have to handle that error to avoid an internal server error showing
+up for the user.  If you were catching this down explicitly in the past
+as `ValueError` you will need to change this.
+
 Version 0.7
 -----------
 

flask/wrappers.py

@@ -10,6 +10,7 @@
 """
 
 from werkzeug.wrappers import Request as RequestBase, Response as ResponseBase
+from werkzeug.exceptions import BadRequest
 from werkzeug.utils import cached_property
 
 from .debughelpers import attach_enctype_error_multidict
@@ -96,9 +97,21 @@ class Request(RequestBase):
             _assert_have_json()
         if self.mimetype == 'application/json':
             request_charset = self.mimetype_params.get('charset')
-            if request_charset is not None:
-                return json.loads(self.data, encoding=request_charset)
-            return json.loads(self.data)
+            try:
+                if request_charset is not None:
+                    return json.loads(self.data, encoding=request_charset)
+                return json.loads(self.data)
+            except ValueError, e:
+                return self.on_json_loading_failed(e)
+
+    def on_json_loading_failed(self, e):
+        """Called if decoding of the JSON data failed.  The return value of
+        this method is used by :attr:`json` when an error ocurred.  The
+        default implementation raises a :class:`~werkzeug.exceptions.BadRequest`.
+
+        .. versionadded:: 0.8
+        """
+        raise BadRequest()
 
     def _load_form_data(self):
         RequestBase._load_form_data(self)

tests/flask_tests.py

@@ -984,6 +984,15 @@ class BasicFunctionalityTestCase(unittest.TestCase):
 
 class JSONTestCase(unittest.TestCase):
 
+    def test_json_bad_requests(self):
+        app = flask.Flask(__name__)
+        @app.route('/json', methods=['POST'])
+        def return_json():
+            return unicode(flask.request.json)
+        c = app.test_client()
+        rv = c.post('/json', data='malformed', content_type='application/json')
+        self.assertEqual(rv.status_code, 400)
+
     def test_json_body_encoding(self):
         app = flask.Flask(__name__)
         app.testing = True