Allen Wirfs-Brock wrote:
On Jan 21, 2015, at 6:09 PM, Mark S. Miller wrote:
On Wed, Jan 21, 2015 at 6:01 PM, Allen Wirfs-Brock
<[email protected] <mailto:[email protected]>> wrote:
On Jan 21, 2015, at 2:09 PM, Mark S. Miller wrote:
// old ES5 code
function f(allegedDate) {
if (({}).toString.call(allegedDate) === "[object Date]") {
JSON.stringify(allegedDate); // "[]" impossible in ES5
actually it isn't impossible. allegedDate could have a `toJSON`
method that returns `"[]`
This is a pretty good example of why this sort of brand check is so
problematic. It is based upon and supports the misperception that
such a branded object will have all of the specified initial
characteristics of the correspond built-in.
This is a great point, which makes me want to +1 your suggestion:
Allen Wirfs-Brock wrote:
On Jan 21, 2015, at 11:03 AM, Brendan Eich wrote:
Let's lose what we can, to avoid letting loose the
complexity/risk-hounds ;-). How would you cut anti-spoofing?
By simply deleting step 17 of
http://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.prototype.tostring
<http://people.mozilla.org/%7Ejorendorff/es6-draft.html#sec-object.prototype.tostring>
Then Jordan could spoof in his shim, and others could too. But Mark
would worry some code became vulnerable that was not in ES5.
Mark, can you cite real code examples? Not doubting they exist, just
looking for something not like the Date example that didn't quite show
the vuln.
/be
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
