@@toStringTag spoofing for null and undefined

Mark S. Miller erights at google.com
Wed Jan 21 18:09:26 PST 2015


On Wed, Jan 21, 2015 at 6:01 PM, Allen Wirfs-Brock <allen at wirfs-brock.com>
wrote:

>
> On Jan 21, 2015, at 2:09 PM, Mark S. Miller wrote:
>
> // old ES5 code
>
> function f(allegedDate) {
>   if (({}).toString.call(allegedDate) === "[object Date]") {
>     JSON.stringify(allegedDate); // "[]" impossible in ES5
>     Array.isArray(allegedDate); // true impossible in ES5
>     Date.prototype.getYear.call(allegedDate); // error impossible in ES5
>   }
> }
>
>
> // new ES6 code
>
> const fakeDate = [];
> const defProp = Object.defineProperty;
> defProp(fakeDate, Symbol.toStringTag, { value: "[object Date]" });
> f(fakeDate); // all ES5 impossible behaviors happen
>
>
> not quite.  The last of your tests (getYear) will still fail because
> fakeDate is not internally branded as a date.
>

Ignoring the unintended Annex B issue, that failure supports my point. In
ES5 we could not have failed at this point, because this point is only
reached if allegedDate is a genuine Date.



>
> See
> http://people.mozilla.org/~jorendorff/es6-draft.html#sec-date.prototype.getyear step
> 1 and the definition of "this time value" in
> http://people.mozilla.org/~jorendorff/es6-draft.html#sec-properties-of-the-date-prototype-object
>
>
> (BTW, did you intentionally pick an Annex B Date method?)
>
> Allen
>



-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20150121/23dbdc53/attachment.html>


More information about the es-discuss mailing list