[Project_owners] Javascript (de)serialization question

Paul Tomlin paul at paultomlin.com
Mon Mar 13 09:04:31 EST 2006


Eric H. Jung wrote:

>> Do you care/need to know if the data is corrupted?
>>
> 
> No.

You should. And having the properties wrapped in accessors can help 
here. I'd be tempted to reset the __proto__ property to regain you class 
data to allow for this, or create a wrapper class which deals with the 
details...

var data = new Object();
data.foo = 'abc';

var DataHandler = new Object();
DataHandler.getFoo = function (obj)
{
	// check obj.foo
	// then
	return obj.foo;
}
DataHandler.setFoo = function (obj, val)
{
	// check obj
	// check val
	// then
	obj.foo = val;
}

Since all your data handling is separated from your data, you can 
happily just use simple objects to store the data. You can also handle 
computed properties easier, which in turn might reduce the size of 
toSource().

I have a tendency to try to write full classes rather than leverage the 
language. I think this is a result of dealing with too many languages, 
all of which have their own tricks. In the end it just gets too confusing.

>> Do you care/need to know if the data is maliciously changed to include
>> new functions that will now run inside chrome in your extension?
>>
> 
> 
> No.

You should, to be fair.. Though I wonder how many people check things 
like preference values in their extensions?

Pondering this, I think I'm safe purely by chance, since the only real 
values I store are URIs for mail folders. Frigging about with them is 
only going to result in an exception.

If you store & use, without checking, something like a web URL that's 
used, for instance, with some user account info (social bookmarking, 
hotmail/google, etc) then a naughty extension could switch that to a 
proxy...


More information about the Project_owners mailing list