The text “__proto__” can break a webapp
[This post is part of a series on the special property __proto__]
The following webapps are susceptible to “__proto__”-induced breakage:
__proto__ is a special property of JavaScript objects [1]. Therefore, if you use an object as a map from strings to values, you must not use the string "__proto__" as a key. That is one of several things that you have to watch out for when using objects this way [2].
The text “__proto__” can still break webapps if it appears somewhere in the content, as I was reminded of today, via Domenic Denicola and Peter van der Zee.
The breakage
The following webapps are susceptible to “__proto__”-induced breakage:
- The classic – Google Docs: For a while, if you typed in “__proto__” at the beginning of a document in Google Docs then it would hang.
- Current – Twitter: If you click on @__proto__ in a tweet then the profile summary that comes up only has a title bar, but no content. You also get “slow script” dialogs in Firefox.
You can try it out in this tweet.
Why?
__proto__ is a special property of JavaScript objects [1]. Therefore, if you use an object as a map from strings to values, you must not use the string "__proto__" as a key. That is one of several things that you have to watch out for when using objects this way [2].
__proto__ is only supported in some browsers, things only break if it is supported. Thus, Firefox exhibits these problems, but Internet Explorer 9 does not. However, __proto__ will become part of ECMAScript 6 [1] which means that all browsers will eventually support it.
Comments
Post a Comment