From 9a2ab459572932a4635de2e93696236e7c303068 Mon Sep 17 00:00:00 2001
From: Kenneth Reitz <me@kennethreitz.org>
Date: Mon, 15 Oct 2018 07:18:19 -0400
Subject: [PATCH] safe dump

---
 responder/formats.py    |  2 +-
 tests/test_responder.py | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/responder/formats.py b/responder/formats.py
index 6cabe02..c82ca97 100644
--- a/responder/formats.py
+++ b/responder/formats.py
@@ -10,7 +10,7 @@ async def format_form(r, encode=False):
 async def format_yaml(r, encode=False):
     if encode:
         r.headers.update({"Content-Type": "application/x-yaml"})
-        return yaml.dump(r.media)
+        return yaml.safe_dump(r.media)
     else:
         return yaml.safe_load(await r.content)
 
diff --git a/tests/test_responder.py b/tests/test_responder.py
index fa816b8..3f98fae 100644
--- a/tests/test_responder.py
+++ b/tests/test_responder.py
@@ -268,3 +268,25 @@ def test_form_uploads(api, session):
     dump = {"complicated": "times"}
     r = session.post(api.url_for(route), data=dump)
     assert r.json() == dump
+
+
+def test_json_downloads(api, session):
+    dump = {"testing": "123"}
+
+    @api.route("/")
+    def route(req, resp):
+        resp.media = dump
+
+    r = session.get(api.url_for(route), headers={"Content-Type": "application/json"})
+    assert r.json() == dump
+
+
+def test_yaml_downloads(api, session):
+    dump = {"testing": "123"}
+
+    @api.route("/")
+    def route(req, resp):
+        resp.media = dump
+
+    r = session.get(api.url_for(route), headers={"Content-Type": "application/x-yaml"})
+    assert yaml.safe_load(r.content) == dump