Comments on Sept Meeting Notes
domenic at domenicdenicola.com
Wed Sep 25 11:41:49 PDT 2013
From: Kevin Smith [zenparsing at gmail.com]
> I'm still not quite convinced that objects-as-maps make a truly isolated namespace necessary, however. I would be convinced by a code example showing how a property of an object using arbitrary string keys could be misinterpreted as a meta-level property.
> I'll try to think of one...
The hard part of producing such examples is that most of the meta-level properties are functions (e.g. iterator), and thus it's not trivially easy to produce an object from `JSON.parse`ing user input. But there are some meta-level properties that are not functions, namely @@isRegExp, @@toStringTag, and @@unscopables.
So let's say that we decided to use a non-isolated namespace of strings, instead of unique symbols. Thus, we would have `"std:isRegExp"`, `"std:toStringTag"`, and `"std:unscopeables"`. Well, then simple code like this:
var requestBody = JSON.parse(req.body);
could end up getting a very weird object, if I POSTed the string
"std:toStringTag": "My Custom String Tag With Spaces and Punctuation!",
"std:unscopeables": ["hasOwnProperty", "toString", "propertyIsEnumerable"]
to that HTTP endpoint.
More information about the es-discuss