Hacker News new | past | comments | ask | show | jobs | submit login

There is no way of knowing someone won’t do a.foo = window.alert later though, unless it’s a frozen object



That's also true of an object parsed with JSON.parse


JSON.parse won't parse a function call/literal. Direct injection would.


You're right about that, but I don't think you're following the argument. The argument was that there could be a `SimpleObject` that's limited and parses quicker. A `SimpleObject` wouldn't parse a function call, just like JSON.parse.

As OP said, "subset of JS Objects". This subset of JS objects wouldn't support function calls.


Don't we already have that, plus a transport medium with JSON?


The speed-up is at object instantiation.`a.foo = window.alert` could only be done post instantiation.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: