Re: @@toStringTag spoofing for null and undefined

Mon, 19 Jan 2015 16:47:31 -0800 

On Jan 19, 2015, at 2:59 PM, Nicholas C. Zakas wrote:

> According to 19.1.3.6 Object.prototype.toString() [1], it's possible to do 
> this:
> 
> ```js
> function Foo(){}
> 
> Foo.prototype[Symbol.toStringTag] = "Null";
> 
> Object.prototype.toString.call(new Foo());   // "[object Null]"
> ```
> 
> It seems like `"Null"` and `"Undefined"` should be added to the step 17(b) 
> list of exceptions to prevent spoofing of null and undefined values using 
> this approach.
> 
> I couldn't think of a reason why the current behavior would make sense, but 
> if I'm off base, feel free to correct me. :)
> 
> [1]: 
> https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.prototype.tostring
> 

Let's be clear, the legacy usage we are trying to preserve is specifically 
detecting whether an object is one of those than in ES5 would of had a 
[[Class]] value that was one of "Function", "Array", "RegExp", "Date", 
"Arguments", "Error", "String", "Number",  "Boolean".

In ES<=5, O.p.toString just reported, an object's [[Class]] value and no object 
created using a JS level constructor could have those specific [[Class]] 
values.  So O.P.toString worked as a brand check for those specific built-in 
object representations.

We can't know everything JS programmers might have used that brand check for, 
so we need to preserve that O.p.toString behavior for those specific built-ins. 
 Part of the behavior we want to preserve is that only the implementation 
provided built-ins could eturn those specific values via O.p.toString (this was 
a requirement  introduced by ES5).   The spoofing protection is design to 
preserve that requirement.

"null" and "undefined" were never [[Class]] values.  And where actually 
introduced into O.p.toString by ES5.1 to fix a specific problem that was 
discovered after ES5 was completed(see threads starting at 
https://mail.mozilla.org/pipermail/es5-discuss/2010-June/003581.html and 
https://mail.mozilla.org/pipermail/es5-discuss/2010-June/003585.html ). 

I find it a stretch to believe that anyone is depending upon using O.p.toString 
as a non-spoofable brand check for null or undefined.

Allen 


_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss

Reply via email to