This repository was archived by the owner on May 18, 2024. It is now read-only.
isAllowedKey / isConstructorPrototype / throwOnProto logic is unnecessary and harmful #2
Description
A superset of #1.
parseJson('{ "__proto__": 1 }'); // => {}
parseJson('{ "constructor": { "prototype": 1 } }'); // => { constructor: {} }and SyntaxError with throwOnProto,
when native
JSON.parse('{ "__proto__": 1 }'); // => { __proto__: 1 }
JSON.parse('{ "constructor": { "prototype": 1 } }'); // => { constructor: { prototype: 1 } }It's absolutely nothing dangerous in constructor: prototype in object literal.
__proto__ and custom Object.prototype getters can be worked around via Object.defineProperty:
if (key in Object.prototype) {
Object.defineProperty(object, key, {
value: result.value,
enumerable: true,
writable: true,
configurable: true
});
} else object[key] = result.value;