From: Kevin Smith [[email protected]]
> I'm still not quite convinced that objects-as-maps make a truly isolated
> namespace necessary, however. I would be convinced by a code example showing
> how a property of an object using arbitrary string keys could be
> misinterpreted as a meta-level property.
> I'll try to think of one...
The hard part of producing such examples is that most of the meta-level
properties are functions (e.g. iterator), and thus it's not trivially easy to
produce an object from `JSON.parse`ing user input. But there are some
meta-level properties that are not functions, namely @@isRegExp, @@toStringTag,
and @@unscopables.
So let's say that we decided to use a non-isolated namespace of strings,
instead of unique symbols. Thus, we would have `"std:isRegExp"`,
`"std:toStringTag"`, and `"std:unscopeables"`. Well, then simple code like this:
```js
var requestBody = JSON.parse(req.body);
```
could end up getting a very weird object, if I POSTed the string
```
{
"std:isRegExp": true,
"std:toStringTag": "My Custom String Tag With Spaces and Punctuation!",
"std:unscopeables": ["hasOwnProperty", "toString", "propertyIsEnumerable"]
}
```
to that HTTP endpoint.
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
