Object's builtin properties are exposed

[vogelsgesang]

The SelectFormat string

{VAR, select,
  male {He}
  female {She}
  other {It}
}

called with VAR = "toString" produces "[object Object]" as result.

Similar results for hasOwnProperty, valueOf, constructor, ... and for PluralFormat and SelectOrdinalFormat.

[vogelsgesang]

Oh, and you are able to use plural as a replacement for select:

{VAR, plural,
  male {he}
  female {she}
  other {it}
}

actually works when called with VAR = "male" or VAR = "female".

[eemeli]

Yup, that was a bug. Should be fixed now that we check data.hasOwnProperty(value) rather than value in data. Added some tests for that too.

[vogelsgesang]

Thanks for your quick response and the fix :) The example which I posted above works smoothly now.

Unfortunately, the following MessageFormat expression would overwrite hasOwnProperty.
I think Object.prototype.hasOwnProperty.call(data, value) should do the trick here.

{VAR, select, hasOwnProperty{true} other {something}}

In addition, there is a similar issue with user provided format functions:

{VAR, __defineSetter__}

[eemeli]

I switched the check to {}.hasOwnProperty.call(data, value), and modified one of the new tests to account for this. Thank you for the pentesting!

Regarding the __defineSetter__ case, can you come up with an example that doesn't work like it should? After (admittedly only a little) testing, all I could manage are slightly different errors compared to more common cases. If so, please open another issue for that, as it's really a different thing.

[vogelsgesang]

Perfect!

Well, you are right, __defineSetter__ is a separate topic. I am going to open another issue for the discussion of it.