Remove _serialize from templates

[cleptric]

cc @chinpei215

[codecov-io]

Codecov Report

Merging #390 into master will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master     #390   +/-   ##
=========================================
  Coverage     92.41%   92.41%           
  Complexity      675      675           
=========================================
  Files            25       25           
  Lines          2176     2176           
=========================================
  Hits           2011     2011           
  Misses          165      165

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 93e1f12...5aa2dcb. Read the comment docs.

[markstory]

Is this necessary with the auto serialize removed from the app skeleton?

[chinpei215]

I think it is necessary. I think people would easy to forget to remove this code from the baked controller. For instance, our official site has not removed the code: https://github.com/cakephp/cakephp.org/blob/e4471d274571e4c9fc9581816077cb54063609e8/src/Controller/Admin/ProjectsController.php#L34
I don't think it is intended to return JSON/XML from the action. And it could be a security hole if we had authorization based on roles.

[ADmad]

Instead of simply removing it, the generating of statement for setting _serialize var should be made configurable.

[chinpei215]

We should recognize this as a potential security risk. In fact, we have already recommended to remove all _serialize from actions, and add it explicitly. So first, I think we should remove _serialize as soon as possible. And if you have some ideas about the new option, we can add it and its documentation.

[rchavik]

i agree with@chinpei215

[markstory]

@rchavik @chinpei215 Ok.