Free email newsletter: “ News


The text “__proto__” can break a webapp

[This post is part of a series on the special property __proto__]

The text “__proto__” can still break webapps if it appears somewhere in the content, as I was reminded of today, via Domenic Denicola and Peter van der Zee.

The breakage

The following webapps are susceptible to “__proto__”-induced breakage:
  • The classic – Google Docs: For a while, if you typed in “__proto__” at the beginning of a document in Google Docs then it would hang.
  • Current – Twitter: If you click on @__proto__ in a tweet then the profile summary that comes up only has a title bar, but no content. You also get “slow script” dialogs in Firefox. You can try it out in this tweet.


__proto__ is a special property of JavaScript objects [1]. Therefore, if you use an object as a map from strings to values, you must not use the string "__proto__" as a key. That is one of several things that you have to watch out for when using objects this way [2].

__proto__ is only supported in some browsers, things only break if it is supported. Thus, Firefox exhibits these problems, but Internet Explorer 9 does not. However, __proto__ will become part of ECMAScript 6 [1] which means that all browsers will eventually support it.


  1. JavaScript: __proto__
  2. The pitfalls of using objects as maps in JavaScript

No comments: