Add the option for ignoring the __proto__ property

[pashoo2]

Can you do this?
It's very bad that JSON parses proto without any errors, it may cause a various bugs

[bjouhier]

How does the native JSON.parse function handle your case?

[pashoo2]

JSON.parse does not worry about it) It need to handle manually and causes the performance issues. May be some people don't know about the proto property behaviour in the js and not handling this

[bjouhier]

If JSON.parse does not do anything special then I would not do anything either. I want to stick to standard behavior. It's very unusual to have __proto__ into JSON feeds. It should be stripped by serialization.

Can I close?

[pashoo2]

It's may used for any hacks. Many peoples use Object.keys for validation objects, that have been parsed by JSON, and as you know Object.keys does not returns properties from the proto

[pashoo2]

"It's very unusual to have proto into JSON feeds. It should be stripped by serialization"
Yes it should be stripped by serialization, but if a malefactor has made a JSON string manually, a string will be parsed by JSON with the proto

[bjouhier]

OK, I did a bit of research and I get it: JSON.parse does something special with __proto__ so that __proto__ does not become a magic prototype. The following are not equivalent:

o = JSON.parse('{ "__proto__": null }'); // o instanceof Object === true
o = { "__proto__": null } // o instanceof Object === false

So i-json should do the same.

[pashoo2]

var oo ='{"prop1":"val1","__proto__" : { "hasOwnProperty":"true", "toString" : "ok" }}'; 
var jsO = JSON.parse(oo);
console.log(jsO.toString);

the result is "ok"