Closed
Bug 879871
Opened 12 years ago
Closed 12 years ago
JSON.stringify breaks when Array.prototype.toJSON is defined
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: leohorie, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
Steps to reproduce:
JSON.stringify([1]) // "[1]"
Array.prototype.toJSON // undefined
Array.prototype.toJSON = function() {alert(1)}
JSON.stringify([1]) // undefined, alerts 1
Actual results:
JSON.stringify returns wrong value if Array.prototype.toJSON is defined (which is the case if Prototype.js is included in the page, for example). A malicious party could use this to steal data via XSS.
Expected results:
JSON.stringify([1]) should always return "[1]" regardless of what is done to Array.prototype
Comment 1•12 years ago
|
||
If you let somebody add things to Array.prototype, you've lost; there's nothing security-sensitive about this.
I tend to think that allowing code to override toJSON on arrays is a feature, not a bug, and so this is probably WONTFIX.
Assignee: nobody → general
Group: core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
This is the required behavior by my reading of the ECMAScript 5 specification[1]. Chrome does the same thing.
[1] http://www.ecma-international.org/ecma-262/5.1/#sec-15.12.3
Comment 3•12 years ago
|
||
Indeed, this is by-design/by-spec and not a bug.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•