@@toStringTag spoofing for null and undefined

Domenic Denicola d at domenic.me
Mon Jan 19 15:47:50 PST 2015

I think we should remove those anti-spoofing "protections". I anticipate a discussion at TC39 next week.

-----Original Message-----
From: es-discuss [mailto:es-discuss-bounces at mozilla.org] On Behalf Of Nicholas C. Zakas
Sent: Monday, January 19, 2015 17:59
To: es-discuss
Subject: @@toStringTag spoofing for null and undefined

According to Object.prototype.toString() [1], it's possible to do this:

function Foo(){}

Foo.prototype[Symbol.toStringTag] = "Null";

Object.prototype.toString.call(new Foo());   // "[object Null]"

It seems like `"Null"` and `"Undefined"` should be added to the step
17(b) list of exceptions to prevent spoofing of null and undefined values using this approach.

I couldn't think of a reason why the current behavior would make sense, but if I'm off base, feel free to correct me. :)


Nicholas C. Zakas

es-discuss mailing list
es-discuss at mozilla.org

More information about the es-discuss mailing list