profile
viewpoint

Ask questionsImplement a __proto__ check option

Eran Hammer posted an article on proto poisoning and his solution in joi/hapi: https://hueniverse.com/a-tale-of-prototype-poisoning-2610fa170061

@rgrove posted a simple implementation of a fix for this: https://gist.github.com/rgrove/3ea9421b3912235e978f55e291f19d5d

However the fix requires a custom reviver that might slow down the default/valid parsing case, Eran prevented this by using an initial check for __proto__. It might be good to add this as a default to be checked for in body-parser in general that can be switched off... if someone wants to do so.

expressjs/body-parser

Answer questions RA80533

Do any of you personally use Express without prototype sanitization? What areas of your services would suffer as a result of Express handling prototype sanitization?

useful!
source:https://uonfu.com/
Github User Rank List