-
-
Notifications
You must be signed in to change notification settings - Fork 901
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not add __proto__
to return value of Object.create(null)
.
#290
Do not add __proto__
to return value of Object.create(null)
.
#290
Conversation
LGTM. |
This PR isn't required, sorry. The es5-shim library in the application I was testing yesterday was from before @Benvie's change. All it had was https://github.com/es-shims/es5-shim/blob/master/es5-sham.js#L195 a line that created an object with an own property The old line remains but I have no idea what JS engine goes down that path (Opera Mini?). Without an engine that goes down the first consequent I can't test that the change is necessary. I'm quite sure createEmpty = function () {
return { __proto__: null };
}; is wrong but it's an assumption. Maybe Sorry about this. |
I don't see that as a reason to close this. The comment says old IEs hit this path, and
|
@michaelficarra However, can I'm hesitant to change this sham without extensive testing on multiple browsers. |
IE8 executes the second clause. I guess @michaelficarra what you mean is that the second clause is incorrect and should not set What about the first clause. Surely that's wrong too? @ljharb You would have to go out of your way to execute your code snippet and the sham won't protect you from it. Also if it has an effect it will probably have the same effect in new browser engines too as they all support |
@briandipalma Yes. And the first clause is only wrong when |
I think the Maybe Rhinos and old V8s/node would go down that path but they should go down that path due to I can't say I'm comfortable with changes here without understanding what old runtimes could be affect but at the same time I think those runtimes are not likely to still be in use. I can delete the |
fwiw, the es5-shim needs to work in as many old runtimes as possible, as far back as possible, regardless of usage. |
@briandipalma: I don't think you're understanding me. The first clause is fine, but only for the interpreters that get there because of edit: Also, this should be merged because it is a strictly positive change. |
@michaelficarra Right, I understand now. Forgot about Photoshop, I figured the second condition was never hit by any environment. What is the different handling in that case? Create an object but delete any enumerable property? |
I'm not sure what to do in that case. The only thing I can think of would be horribly broken. |
Will this be merged or should I close the PR? |
@briandipalma It won't be merged until all the open questions in this thread can be resolved, but I'm happy to merge it once I'm convinced that we've explored all the consequences of this change. I'm comfortable leaving it open, or closing it, as you prefer. |
Please rebase this branch freshly onto master. I'm still hoping for some clarity on why this line was necessary in the first place, but I think we can merge it anyways. |
Ohh, I think I can guess why it was there in the first place. Ideally we want
This code needs a tweak if |
That makes a lot of sense, good catch @dgreensp |
@briandipalma would you mind freshly rebasing this? @dgreensp if you want to update #321 instead along with the necessary |
Sure. There are no tests for this, right? |
I doubt it, but please do add some :-) |
Where should they go? I think I only found shim (not sham) tests in the repo. |
They're intermixed in the other tests - see the conditional test here https://github.com/es-shims/es5-shim/blob/master/tests/spec/s-object.js#L4-L24 so that tests don't fail in an environment where it'd be impossible to polyfill it. |
Travelling atm will fix this up at weekend |
Great, thanks! |
I don't think it's possible in general to detect objects with a null proto, but we could detect:
|
And certainly we also may not be able to do it cross-realm, but that's alright. I'd say that you could detect it by doing |
Ah, testing I can't think of any JS environment where |
Stock, you're correct. But ideally, the shims are robust enough that it takes absurdly extreme measures for someone to break them - ie, Now that I think about it, this might be the most robust altogether: var key = '_____ some totally unguessable string ___' + Date.now();
var signal = {};
Object.prototype[key] = signal;
var hasObjectProto = value[key] === signal;
delete Object.prototype.key;
return !hasObjectProto; |
In that vein, maybe we should check whether the value is |
It is a sham, after all, so best-effort is OK. |
So, the problem is that |
c0dc8da
to
7eed727
Compare
Conversation behind this change: https://twitter.com/bterlson/status/558023598095360000 Before this change `Object.create(null)` and iterating the returned object, via `Object.keys`, in IE8 would result in `__proto__` incorrectly being returned as an own key.
7eed727
to
b80cc92
Compare
So after the rebase these failures occurred, I'm thinking they are due to the ESLint 1.0.0 release but I'm not sure and I don't think this branch is the correct place to tackle such issues. I'd say 1539 is the root cause of the errors. I've created a PR to your shared ESLint config repo to try and fix this problem. |
@briandipalma Yes, I haven't finished testing #321 yet but I'm going to close this in favor of that one. I hope that's ok! |
No worries, makes sense. |
Conversation behind this change: https://twitter.com/bterlson/status/558023598095360000
Before this change
Object.create(null)
and iterating the returned object, viaObject.keys
,in IE8 would result in
__proto__
incorrectly being returned as an own key.