Using the canonicalName as the key to a collection of CRICChannel or CIRCUser objects can have disastrous results if the canonicalName is the same as a built-in JavaScript property. One such example is if user "__proto__" or "__parent__" joins a channel.
Existing bug from ChatZilla. Refer to these bugs and the accompanying patch. I suggest replacing the use of canonicalName with collectionKey, which is just ":" + canonicalName, as per the recommendations in 498178.
Using the
canonicalNameas the key to a collection ofCRICChannelorCIRCUserobjects can have disastrous results if thecanonicalNameis the same as a built-in JavaScript property. One such example is if user "__proto__" or "__parent__" joins a channel.Existing bug from ChatZilla. Refer to these bugs and the accompanying patch. I suggest replacing the use of
canonicalNamewithcollectionKey, which is just":" + canonicalName, as per the recommendations in 498178.Bug 498178 Bug 703423 Patch 427892