@@toStringTag spoofing for null and undefined
Brendan Eich
brendan at mozilla.org
Thu Jan 22 11:20:16 PST 2015
Allen Wirfs-Brock wrote:
> On Jan 21, 2015, at 6:09 PM, Mark S. Miller wrote:
>
>>
>>
>> On Wed, Jan 21, 2015 at 6:01 PM, Allen Wirfs-Brock
>> <allen at wirfs-brock.com <mailto:allen at wirfs-brock.com>> wrote:
>>
>>
>> On Jan 21, 2015, at 2:09 PM, Mark S. Miller wrote:
>>
>>> // old ES5 code
>>>
>>> function f(allegedDate) {
>>> if (({}).toString.call(allegedDate) === "[object Date]") {
>>> JSON.stringify(allegedDate); // "[]" impossible in ES5
>
> actually it isn't impossible. allegedDate could have a `toJSON`
> method that returns `"[]`
>
> This is a pretty good example of why this sort of brand check is so
> problematic. It is based upon and supports the misperception that
> such a branded object will have all of the specified initial
> characteristics of the correspond built-in.
This is a great point, which makes me want to +1 your suggestion:
Allen Wirfs-Brock wrote:
> On Jan 21, 2015, at 11:03 AM, Brendan Eich wrote:
>> Let's lose what we can, to avoid letting loose the
>> complexity/risk-hounds ;-). How would you cut anti-spoofing?
>
> By simply deleting step 17 of
> http://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.prototype.tostring
> <http://people.mozilla.org/%7Ejorendorff/es6-draft.html#sec-object.prototype.tostring>
Then Jordan could spoof in his shim, and others could too. But Mark
would worry some code became vulnerable that was not in ES5.
Mark, can you cite real code examples? Not doubting they exist, just
looking for something not like the Date example that didn't quite show
the vuln.
/be
More information about the es-discuss
mailing list