[locci]

Because [] is not syntactic sugar for new Array. The code the article wrote about doesn't work in any implementation that I know of. I think the ESv3 spec wasn't very clear: "Create a new array as if by the expression new Array()." But the implementations (always?) did the right thing, and the ESv5 spec is more clear: it adds "where Array is the standard built-in constructor with that name."

[gruseom]

This comment and the GP suggest that the article is wrong. Is it? Can anyone confirm a JS implementation that manifests the described behavior (the Array constructor being called when parsing top-level [] in JSON)?

It obviously worked this way at some point (http://news.ycombinator.com/item?id=2668888), so I'm guessing the older IEs, at least, still have this flaw.

[the_mitsuhiko]

> Because [] is not syntactic sugar for new Array

In Firefox 4 and other new browsers this is no longer the case. But right now it's still an issue as many people are using older browsers.

[locci]

I just tested with Firefox portable 3.0.0 and it looks like it was already fixed then (June 2008).

[ivank]

The attack worked in an older Firefox, at least.