Why we need to clean up __proto__
Mark S. Miller
erights at google.com
Wed Dec 28 17:57:34 PST 2011
This exact issue is tested at <
Although Chrome and Safari fail this test for this reason, WebKit Nightly
and Opera, both of which have magical __proto__, both still pass this test.
Their magical __proto__ does not corrupt their JSON implementation.
Needless to say, IE's JSON has no such problem.
On Wed, Dec 28, 2011 at 11:58 AM, gaz Heyes <gazheyes at gmail.com> wrote:
> I'd also like to add that __proto__ allows valid JSON to change it's
> object type and allow functions within properties. There isn't a compelling
> exploit scenerio for this yet but who knows what is possible if setters
> come into the equation.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss