Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Setters are no longer called when setting properties in object initializers: what does this mean?

Tags:

javascript

On this JS MDN page it says this:

JavaScript 1.8.1 note

Starting in JavaScript 1.8.1, setters are no longer called when setting properties in object and array initializers.

I just can't figure out what this is trying to tell me.

like image 407
PitaJ Avatar asked Oct 23 '12 22:10

PitaJ


2 Answers

This code-snippet:

var o = {};
o.seven = 7;

and this code-snippet:

var o = { seven: 7 };

are normally equivalent; but if they're preceded by this code-snippet:

Object.prototype.__defineSetter__('seven', function(x) { alert(x); });

then only the former will alert 7 (because the setter is called by o.seven = 7, but not by o = { seven: 7 }), and only the latter will actually set o.seven to 7.

like image 142
ruakh Avatar answered Sep 21 '22 21:09

ruakh


I think this refers to the issue of JSON hijacking. Have a look at

  • Is it possible to do 'JSON hijacking' on modern browser?
  • http://incompleteness.me/blog/2007/03/05/json-is-not-as-safe-as-people-think-it-is/
  • http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx, http://haacked.com/archive/2009/06/25/json-hijacking.aspx
  • http://hackademix.net/2009/01/13/you-dont-know-what-my-twitter-leaks/

To repost my answer from this deleted question:

According to the specification, neither Array (EcmaScript 5.1 §11.1.4) nor Object literals (EcmaScript 5.1 §11.1.5) should be hijackable:

  • They call "the standard built-in constructor with that name", not what you might have overwritten at window.Array or window.Object
  • They use [[defineOwnProperty]], which does absolutely not take care of any setters on Object.prototype.

Nowadays, this should not be an issue any more in ES 5.1-compliant browsers.

like image 40
Bergi Avatar answered Sep 21 '22 21:09

Bergi