Why we need to clean up __proto__

Mark S. Miller erights at google.com
Wed Dec 28 17:57:34 PST 2011

This exact issue is tested at <
Although Chrome and Safari fail this test for this reason, WebKit Nightly
and Opera, both of which have magical __proto__, both still pass this test.
Their magical __proto__ does not corrupt their JSON implementation.
Needless to say, IE's JSON has no such problem.

On Wed, Dec 28, 2011 at 11:58 AM, gaz Heyes <gazheyes at gmail.com> wrote:

> I'd also like to add that __proto__ allows valid JSON to change it's
> object type and allow functions within properties. There isn't a compelling
> exploit scenerio for this yet but who knows what is possible if setters
> come into the equation.
> alert(({"__proto__":[]}).sort)
> alert(({"__proto__":function::['parent']}).location)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20111228/1145b2c3/attachment.html>

More information about the es-discuss mailing list