Please don't turn req.body into an object without a prototype

[mercmobily]

In the code you have:

Object.create(null)

This is a huge problem in some cases. My app did req.body.hasOwnProperty(), which miserably failed for no apparent reason. While you could argue that using hasOwnProperty() on req.body could be a waste of time, you need to remember that I am passing req.body to a utility function that expects a generic object...

It's a very simple fix -- as simple as using:

Object.create(Object.prototype)

Ta.

[LinusU]

I think that I agree, there is even an open pr for this #318. It will need to be a major bump though since we are introducing potential security holes...

I'm proposing taking this up on the next express TC meeting, I'll add it to the agenda...

[LinusU]

See expressjs/discussions#25

[LinusU]

We feel that keeping it with a null prototype is the way to go forward, since the alternative either introduces potential bugs that can be exploited by a client, or have to strip some keys which can be very confusing and hard to work around if it affects you.

If you have anything new to add to the discussion, please feel free to post a comment in the discussions issue: expressjs/discussions#25