Closed Bug 879871 Opened 12 years ago Closed 12 years ago

JSON.stringify breaks when Array.prototype.toJSON is defined

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
24 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: leohorie, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Steps to reproduce: JSON.stringify([1]) // "[1]" Array.prototype.toJSON // undefined Array.prototype.toJSON = function() {alert(1)} JSON.stringify([1]) // undefined, alerts 1 Actual results: JSON.stringify returns wrong value if Array.prototype.toJSON is defined (which is the case if Prototype.js is included in the page, for example). A malicious party could use this to steal data via XSS. Expected results: JSON.stringify([1]) should always return "[1]" regardless of what is done to Array.prototype
If you let somebody add things to Array.prototype, you've lost; there's nothing security-sensitive about this. I tend to think that allowing code to override toJSON on arrays is a feature, not a bug, and so this is probably WONTFIX.
Assignee: nobody → general
Group: core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
This is the required behavior by my reading of the ECMAScript 5 specification[1]. Chrome does the same thing. [1] http://www.ecma-international.org/ecma-262/5.1/#sec-15.12.3
Indeed, this is by-design/by-spec and not a bug.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.