Hacker News new | ask | show | jobs
by zerocrates 860 days ago
The one thing I've seen mentioned before is the use of "__proto__" as a object property key. Though it's valid syntax in both JSON and JS like any other string key, it somewhat uniquely does something different if interpreted as JS (setting the created object's prototype) than it does if interpreted as JSON.
1 comments
basil-rash 859 days ago
That's fair, though somewhat benign barring a prototype pollution vulnerability. The object still behaves the same as it would had you JSON.parse'd the same string (Object.getPrototypeOf aside).
link
zerocrates 858 days ago
One simple issue would be if your object looks like

x = {"__proto__": {"foo": "bar"}}

now x.foo is "bar" if that's JS code, but undefined if you JSON.parse that same object definition from a string.

link