Object.assign interaction with __proto__ field.
same way Object.assign makes getters own properties, anything else
special gets assigned right away, including Symbols.
This is a usually ignored gotta of the issue Object.assign could actually
cause in the wild, specially with polyfills where WeakMap symbols assigned
directly might be passed around.
I'm not sure __proto__ as key deserves any special treatment, compared to
all other little gotchas, but FWIW I'm still for banning __proto__ from
the language through 1 year of browsers warnings and a wide community
involvement in getting rid of that little "bomb" ECMA kept in core.
NodeJS got bitten with query strings, developers loading user land JSON can
get bitten with "__proto__": null and so on and so fort.
.
You don't need JSON.parse there - see Object.getPrototypeOf({ ['__proto__']: null }) !== null.
Le 26 sept. 2018 à 16:27, Mike Samuel <mikesamuel at gmail.com> a écrit :
Might it be a spec bug that in the below, o's prototype changes, and o.x !== b.x?
const a = makeIntercepter(); const b = { x: 1 }; const o = Object.assign( {}, a, b);
console.log(
o is plain Object: ${ Object.getPrototypeOf(o) === Object.prototype });console.log(
b.x=${ b.x }, o.x=${ o.x });function makeIntercepter() { return JSON.parse( // Get an object that has an actual "proto" property. '{ "proto": {} }', // Replace the proto property's value with one that // traps assignment to x. (key, value) => ( (key === 'proto') ? { set x(v) { console.log(
intercepted ${ v }); }, get x() { return 2; }, } : value)); }In modern Chrome, Firefox, Safari I get intercepted 1 getPrototypeOf(o)===Object.prototype: false b.x=1, o.x=2
es-discuss mailing list es-discuss at mozilla.org, mail.mozilla.org/listinfo/es-discuss, mail.mozilla.org/listinfo/es-discuss
🤦 It’s not a bug. But you definitely convinced me to add delete Object.prototype.__proto__ at the top of my JS.
Might it be a spec bug that in the below, o's prototype changes, and o.x !== b.x?
const a = makeIntercepter(); const b = { x: 1 }; const o = Object.assign( {}, a, b);
console.log(
o is plain Object: ${ Object.getPrototypeOf(o) === Object.prototype });console.log(
b.x=${ b.x }, o.x=${ o.x });function makeIntercepter() { return JSON.parse( // Get an object that has an actual "proto" property. '{ "proto": {} }', // Replace the proto property's value with one that // traps assignment to x. (key, value) => ( (key === 'proto') ? { set x(v) { console.log(
intercepted ${ v }); }, get x() { return 2; }, } : value)); }In modern Chrome, Firefox, Safari I get intercepted 1 getPrototypeOf(o)===Object.prototype: false b.x=1, o.x=2
Might it be a spec bug that in the below, o's prototype changes, and o.x !== b.x? const a = makeIntercepter(); const b = { x: 1 }; const o = Object.assign( {}, a, b); console.log(`o is plain Object: ${ Object.getPrototypeOf(o) === Object.prototype }`); console.log(`b.x=${ b.x }, o.x=${ o.x }`); function makeIntercepter() { return JSON.parse( // Get an object that has an actual "__proto__" property. '{ "__proto__": {} }', // Replace the __proto__ property's value with one that // traps assignment to x. (key, value) => ( (key === '__proto__') ? { set x(v) { console.log(`intercepted ${ v }`); }, get x() { return 2; }, } : value)); } In modern Chrome, Firefox, Safari I get intercepted 1 getPrototypeOf(o)===Object.prototype: false b.x=1, o.x=2 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20180926/7f2f307a/attachment.html>