| 19:04 | <bakkot> | RCE in react server apparently arising from proto pollution gotta start encouraging people to put |
| 19:51 | <nicolo-ribaudo> | Gotta suggest a CSP to remove it, it's normative optional anyway |
| 19:59 | <bakkot> | https://github.com/tc39/proposal-symbol-proto had something like that, although much more complex |
| 19:59 | <bakkot> | though in this case it was server-side |
| 20:00 | <bakkot> | (and node does have --disable-proto, though no one uses it) |
| 20:07 | <Michael Ficarra> | If you could teach them to do this, you could teach them to not use objects as maps. Unfortunately, "we can teach them" as a strategy has never worked out once in my life. |
| 20:07 | <bakkot> | one of those things is a lot easier to teach! |
| 20:08 | <kriskowal> | yeah, and JSON makes a lie of “don’t use objects for maps” every time. |
| 20:17 | <ptomato> | so does the performance of using objects for maps |
| 20:54 | <Rob Palmer> | In the most recent meeting there was some advocacy for using objects as maps. Is this evidence against that? |
| 20:56 | <bakkot> | if you're going to use an object as a map, you must use __proto__: null when creating it, that's all |
| 20:56 | <bakkot> | the language does this, e.g. in RegExp groups or groupBy |
| 20:57 | <kriskowal> | However, JSON.parse, creator of many objects-as-maps, not so much. |
| 20:58 | <bakkot> | alas |
| 20:59 | <Rob Palmer> | Where is JSON.parse2 |
| 22:19 | <Chris de Almeida> | seek the null prototype reviver |
| 22:30 | <bakkot> | that reminds me, there was a suggestion at some point to add an option proto parameter to Object.fromEntries |
| 22:30 | <bakkot> | though possibly it should accept only the value null |
| 22:32 | <Michael Ficarra> | just prepend your entries with ["__proto__", null] 😜 |
| 22:34 | <bakkot> | ah yes, the bad old days of object initialization triggering setters from the prototype |
| 23:11 | <Michael Ficarra> | speaking of bad old days and object prototypes, does anyone else remember how in ES3 a named function expression (but not an anonymous function) would add an object with Object.prototype as its [[Prototype]] to the scope chain? |
| 23:13 | <Michael Ficarra> | at least one engine had actually implemented this literally (Opera I think?) and it was hilarious |