Home/ Questions/Q 9255821
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T11:47:46+00:00

In Java, I find it straight forward to take a string and use it

  • 0

In Java, I find it straight forward to take a string and use it as a key in a LinkedHashMap. I can even translate it into JSON and back with no troubles.

I am using Node.JS/JavaScript now, and there is a special case that is not handled.

var makesSense = '{"__proto__":"foo","toString":"bar"}'
var noSense = JSON.stringify(JSON.parse('{"__proto__":"foo","toString":"bar"}'))
console.log(noSense) // outputs {"toString":"bar"}

What is the recommended way to handle __proto__ and other things like it. It would seem that toString is not causing any trouble, but supposing I needed consistent handling of untrusted data. What is the recommended solution?

  • Prepend an extra character before every key? If so, what character makes the most sense? I know it can’t be an underscore, so what about a space?
  • Use a module that handles this for me? I would want one that will handle this conveniently and without excessive features. (some features would be nice though)
  • Something else? Is there a solution that is compatible with JSON.parse?

Why does this matter? Surely nobody is actually going to type __proto__ by accident. But what if they were doing this on purpose. They learn I am using JavaScript, so what? – No problems except in the following situation:

  • Software has a array of strings. It just so happens one of these strings say __proto__ because someone was poking around trying to break my software.
  • Software creates a Map using those strings for a key, and fills the Map with some nice data.
  • Software later goes through the array of strings, and collects the information from the Map. The Map returns something null, and then boom: null pointer exception.
  • Software now does not work. This would qualify as something sort of like denial of service.

I know that that situation is absolutely vary rare, but I don’t like it. I cannot remember all the quirks of the programming language I am using, so given enough time, I am bound to write this kind of code.

I pride myself on creating code that is not subject to tampering. So, I am attempting to eliminate these pinholes from my software.

Yes, these are super-minor, but it is at least worth a StackOverflow question, to see if people have a better answer than I know. I learn a lot this way.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Prepend an extra character before every key? If so, what character makes the most sense? I know it can’t be an underscore, so what about a space?

    I use an x, but it’s arbitrary. So long as you use something that’s unlikely to form a special property name like (on some engines) __proto__, or toString, or valueOf (and I’m not aware of any special property names starting with x), you’re fine.

    • 0