i-json Add the option for ignoring the __proto_

Can you do this? It's very bad that JSON parses proto without any errors, it may cause a various bugs

Jun 04 '15 08:06 pashoo2

How does the native JSON.parse function handle your case?

Jun 04 '15 09:06 bjouhier

JSON.parse does not worry about it) It need to handle manually and causes the performance issues. May be some people don't know about the proto property behaviour in the js and not handling this

Jun 04 '15 17:06 pashoo2

If JSON.parse does not do anything special then I would not do anything either. I want to stick to standard behavior. It's very unusual to have __proto__ into JSON feeds. It should be stripped by serialization.

Can I close?

Jun 04 '15 21:06 bjouhier

It's may used for any hacks. Many peoples use Object.keys for validation objects, that have been parsed by JSON, and as you know Object.keys does not returns properties from the proto

Jun 06 '15 18:06 pashoo2

"It's very unusual to have proto into JSON feeds. It should be stripped by serialization" Yes it should be stripped by serialization, but if a malefactor has made a JSON string manually, a string will be parsed by JSON with the proto

Jun 06 '15 18:06 pashoo2

OK, I did a bit of research and I get it: JSON.parse does something special with __proto__ so that __proto__ does not become a magic prototype. The following are not equivalent:

o = JSON.parse('{ "__proto__": null }'); // o instanceof Object === true
o = { "__proto__": null } // o instanceof Object === false

So i-json should do the same.

Jun 08 '15 20:06 bjouhier

var oo ='{"prop1":"val1","__proto__" : { "hasOwnProperty":"true", "toString" : "ok" }}'; 
var jsO = JSON.parse(oo);
console.log(jsO.toString);

the result is "ok"

Jun 09 '15 08:06 pashoo2

Add the option for ignoring the __proto__ property

Add the option for ignoring the proto property