Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

  >> JSON.parse("{}")["__proto__"]["A"] = "T"
  "T"
  >> W = {}
  Object {  }
  >> W.A
  "T"


And this is not deserving of WAT. This is actually a result of how awesome JavaScript is.

But if you ever actually do this, then... WAT.


That’s literally just prototype inheritance vs a UI nicety in node I assume.

What alternative behaviour would you expect?


It’s the wat I’ve seen have the most security impact.

Deep merging two JSON parsed objects is innocuous enough everywhere else that most don’t think twice about doing it. Lots of widely used libraries that provide deep merging utilities have had security vulnerabilities because of this.

I guess you could argue that the wat is that objects coming out of JSON.parse don’t have null as its prototype.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: