Callback for root nodes shouldn't return a list

[jonblack]

Root nodes in the tree are expected to be returned as a list. The Flask framework's implementation of json (jsonify) treats top-level lists as a security risk:

The problem are arrays at top-level in JSON. [...] An attacker can use this (like above) to get all the data you exported in your JSON file.

There is more information about a workaround in this issue:

I appreciate that top-level array elements are not allowed to be created in Flask's jsonify() implementation (http://flask.pocoo.org/docs/0.10/security/#json-security). Also, there are for sure straight-forward strategies for solving this in application code, for example by wrapping the list in a dictionary: jsonify({"items": collection}).