David Herman wrote:
On Aug 8, 2012, at 3:08 PM, Axel Rauschmayer wrote:
I'm not yet convinced that Object.update should be restricted to own
properties. If you're only using object literals, then yeah, you want own
properties only; you're basically using object literals as a poor man's named
arguments. But if you're just taking an arbitrary object, there's less reason
to expect that its relevant properties won't be inherited.
Can you elaborate? Because usually, you have instances that point to shared
prototypes. Then you’d also want only the own properties. If there is a type
hierarchy, all constructors put all instance data in the same object, so you
already have an automatic flattening.
That's a fair point. I have found that I will occasionally have a type-level
"constant" that makes sense to keep as an inherited data property, but I'll
grant it's somewhat rare.
It's an anti-pattern, in general: constants go on constructors or in
"package" objects. Too many colllision and deep-mutable hazards on the
proto-chain for advisory constants.
Still, the fact that it works fine without the own-check today:
http://james.padolsey.com/jquery/#v=1.7.2&fn=jQuery.extend
indicates that code is working fine today without prototype pollution problems
(especially given that basically everything on the web breaks if you don't respect
"Object.prototype is verboten").
I made the same argument but reached a different conclusion: proto-chain
walking not wanted for Object.extend, because if people *did* extend
Object.prototype, lots of for-in uses, especially including the one in
Prototype's Object.extend, would break.
So before going with the own-check, I'd want to know that existing patterns
wouldn't break, and whether it really would help that much.
This is not a case of us knowing too little, or having a neutral stance
in the face of a balanced controversy. Object.prototype is verboten
*because* for-in walks the proto chain, *and* it's used by Object.extend
and other such things. Plus, people don't generally compose via
__proto__ (Object.create is new) or flatten proto-chains intentionally.
/be
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
