[Bug 12101] "Structured clone" can be passed an object with a hostile getter that returns an object identical to itself; "structured clone" does not prevent such an infinite regression. from bugzilla@jessica.w3.org on 2011-07-05 (public-html-bugzilla@w3.org from July 2011)

From: <bugzilla@jessica.w3.org>
Date: Tue, 05 Jul 2011 21:46:38 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1QeDS2-0004vb-Rd@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12101

--- Comment #7 from Cameron McCormack <cam@mcc.id.au> 2011-07-05 21:46:37 UTC ---
I agree with Jonas.  Even simple type conversions can result in this, e.g.

  element.id = { toString: function() { while(1); } };

There are many situations where DOM objects have to call in to JS code, and
calling a getter property is just one of them.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Tuesday, 5 July 2011 21:46:39 UTC