Why we need to clean up __proto__

Mark S. Miller erights at google.com
Wed Dec 28 17:57:34 PST 2011


This exact issue is tested at <
http://hg.ecmascript.org/tests/test262/file/c84161250e66/test/suite/ch15/15.12/15.12.2/S15.12.2_A1.js>.
Although Chrome and Safari fail this test for this reason, WebKit Nightly
and Opera, both of which have magical __proto__, both still pass this test.
Their magical __proto__ does not corrupt their JSON implementation.
Needless to say, IE's JSON has no such problem.

On Wed, Dec 28, 2011 at 11:58 AM, gaz Heyes <gazheyes at gmail.com> wrote:

> I'd also like to add that __proto__ allows valid JSON to change it's
> object type and allow functions within properties. There isn't a compelling
> exploit scenerio for this yet but who knows what is possible if setters
> come into the equation.
>
> alert(({"__proto__":[]}).sort)
> alert(({"__proto__":function::['parent']}).location)
>
>
>


-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20111228/1145b2c3/attachment.html>


More information about the es-discuss mailing list