The text “__proto__” can break a webapp

[This post is part of a series on the special property __proto__]


The text “__proto__” can still break webapps if it appears somewhere in the content, as I was reminded of today, via Domenic Denicola and Peter van der Zee.



The breakage



The following webapps are susceptible to “__proto__”-induced breakage:


  • The classic – Google Docs: For a while, if you typed in “__proto__” at the beginning of a document in Google Docs then it would hang.

  • Current – Twitter: If you click on @__proto__ in a tweet then the profile summary that comes up only has a title bar, but no content. You also get “slow script” dialogs in Firefox.
    You can try it out in this tweet.



Why?



__proto__ is a special property of JavaScript objects [1]. Therefore, if you use an object as a map from strings to values, you must not use the string "__proto__" as a key. That is one of several things that you have to watch out for when using objects this way [2].


__proto__ is only supported in some browsers, things only break if it is supported. Thus, Firefox exhibits these problems, but Internet Explorer 9 does not. However, __proto__ will become part of ECMAScript 6 [1] which means that all browsers will eventually support it.

References




  1. JavaScript: __proto__

  2. The pitfalls of using objects as maps in JavaScript


Comments

Popular posts from this blog

Steve Lopez and the Importance of Newspapers

Ideas for fixing unconnected computing

Omar to kill me