json5 icon indicating copy to clipboard operation
json5 copied to clipboard

Published 20 hours ago verified publisher icon json5

Should __proto__ property be treated specially?

Open LongTengDao opened this issue 5 years ago • 5 comments

The json5-spec didn't mention it.

JSON5.parse('{__proto__:1}').__proto__ // not 1

I know it's in js-spec, I just wonder whether it should be same like js.

({__proto__:1}).__proto__ // not 1

Because in JSON land, __proto__ key is just a normal key, as a data language.

JSON.parse('{"__proto__":1}').__proto__ // is 1

BTW: Is it right for JSON5 parser use [[set]] not [[define]]?

Object.defineProperty(Object.prototype, 'xxx', { set (value) { console.log('setting!'); } });
JSON5.parse('{xxx:1}');// setting!

LongTengDao avatar Jun 06 '19 04:06 LongTengDao

JSON5 should definitely maintain backward compatibility with JSON. Thank you for reporting this. I've opened PR #200 for this issue.

jordanbtucker avatar Jun 06 '19 15:06 jordanbtucker

I’m team is using JSON5 as a way to allow users to enter hierarchical data. While non JS implementation will not have an issue with proto, I can see lot of potential security/quality issues if JAVASCRIPT json5 parser will allow proto.

suggesting that it will be explicit written into the spec that JavaScript parsers, (by default), will not allow proto and other special attributes to be set.

yairlenga avatar Oct 07 '21 05:10 yairlenga

@yairlenga Thanks of the suggestion. Since JSON5 is just a document format, it is generic regarding implementations. Although the format is based on JavaScript (just like JSON is) it doesn't really have to do with the JavaScript language (apart from the fact that it references JavaScript grammar productions).

If we were to include implementation details for JavaScript, then why should we not also include implementation details for Python, C/C++, C#, Rust, PHP, Go, etc.

If you would like to continue this discussion regarding the spec, please open an issue in the json5-spec repo.

jordanbtucker avatar Oct 09 '21 00:10 jordanbtucker

"If we were to include implementation details for JavaScript, then why should we not also include implementation details for Python, C/C++, C#, Rust, PHP, Go, etc."

I also am looking for a PHP implementation of JSON5

Also for comparison (note: comments):

  • https://web.archive.org/web/20190405070225/https://github.com/douglascrockford/JSON-js/blob/master/json_parse.js
  • https://github.com/json5/json5/blob/master/lib/parse.js

jasonkhanlar avatar May 11 '22 23:05 jasonkhanlar

@jasonkhanlar In the Wild on the Wiki is the place to look for implementations.

jordanbtucker avatar May 11 '22 23:05 jordanbtucker

Fixed in 4a8c4568fe6bf85daf6f473aaa50007c43f74d6e

jordanbtucker avatar Oct 01 '22 11:10 jordanbtucker