Should __proto__ property be treated specially?

[LongTengDao]

The json5-spec didn't mention it.

JSON5.parse('{__proto__:1}').__proto__ // not 1

I know it's in js-spec, I just wonder whether it should be same like js.

({__proto__:1}).__proto__ // not 1

Because in JSON land, __proto__ key is just a normal key, as a data language.

JSON.parse('{"__proto__":1}').__proto__ // is 1

---

BTW: Is it right for JSON5 parser use [[set]] not [[define]]?

Object.defineProperty(Object.prototype, 'xxx', { set (value) { console.log('setting!'); } });
JSON5.parse('{xxx:1}');// setting!

[jordanbtucker]

JSON5 should definitely maintain backward compatibility with JSON. Thank you for reporting this. I've opened PR #200 for this issue.

[yairlenga]

I’m team is using JSON5 as a way to allow users to enter hierarchical data. While non JS implementation will not have an issue with proto, I can see lot of potential security/quality issues if JAVASCRIPT json5 parser will allow proto.

suggesting that it will be explicit written into the spec that JavaScript parsers, (by default), will not allow proto and other special attributes to be set.

[jordanbtucker]

@yairlenga Thanks of the suggestion. Since JSON5 is just a document format, it is generic regarding implementations. Although the format is based on JavaScript (just like JSON is) it doesn't really have to do with the JavaScript language (apart from the fact that it references JavaScript grammar productions).

If we were to include implementation details for JavaScript, then why should we not also include implementation details for Python, C/C++, C#, Rust, PHP, Go, etc.

If you would like to continue this discussion regarding the spec, please open an issue in the json5-spec repo.

[jasonkhanlar]

"If we were to include implementation details for JavaScript, then why should we not also include implementation details for Python, C/C++, C#, Rust, PHP, Go, etc."

I also am looking for a PHP implementation of JSON5

Also for comparison (note: comments):

• https://web.archive.org/web/20190405070225/https://github.com/douglascrockford/JSON-js/blob/master/json_parse.js
• https://github.com/json5/json5/blob/master/lib/parse.js

[jordanbtucker]

@jasonkhanlar In the Wild on the Wiki is the place to look for implementations.

[jordanbtucker]

Fixed in 4a8c456