Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Helper to deal with dangerous strings

See original GitHub issue

🚀 Feature Request

JavaScript is subject to very strange bugs when using keys like __proto__ or reserved keywords.

The aim of this feature will be to come with a nice helper able to generate strings including various keywords such as:

'__prototype__', '__proto__' , 'proto'    , 'constructor', 'set'      , 'get'       ,
'break'        , 'case'      , 'class'    , 'catch'      , 'const'    , 'continue'  ,
'debugger'     , 'default'   , 'delete'   , 'do'         , 'else'     , 'export'    ,
'extends'      , 'finally'   , 'for'      , 'function'   , 'if'       , 'import'    ,
'in'           , 'instanceof', 'new'      , 'return'     , 'super'    , 'switch'    ,
'this'         , 'throw'     , 'try'      , 'typeof'     , 'var'      , 'void'      ,
'while'        , 'with'      , 'yield'    , 'enum'       , 'await'    , 'implements',
'let'          , 'package'   , 'protected', 'static'     , 'interface', 'private'   ,
'public'       , 'abstract'  , 'boolean'  , 'byte'       , 'char'     , 'double'    ,
'final'        , 'float'     , 'goto'     , 'int'        , 'long'     , 'native'    ,

_proto and related plus reserved keywords listed in

It might also includes known vulnerabilities or keywords coming from other langages: SELECT, FROM

Bugs like the one of letrec - see - would have been easier to detect with such helper.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:1
  • Comments:7 (6 by maintainers)

github_iconTop GitHub Comments

dubzzzcommented, Jul 11, 2022

Will be the default for strings starting in v3.1

dubzzzcommented, Mar 28, 2021


should this also be part of the bias of the normal fc.string arbitrary

It will be the default for the string and other related structures. The target for next versions of fast-check is to consider the full scope of possible inputs and to pin-point as soon as possible when this scope is wrong. If someone says: ‘my algorithm can handle any string, then it should also handle proto, otherwise it means that any is falsy’.


I’m currently POC-ing a new way to build the core arbitraries of fast-check ( One of the aim is to be able to shrink easily any entry even some that were not directly generated through normal generators of fast-check. As a consequence, the string generator will be able to receive any string and shrink it to smaller cases. I hope to be able to unlock this issue with this rework. (for the moment just a POC, it may never be merged).

The consequence will be that magic strings like proto could be shrunk by fast-check, which is not the case today if the string was not produced by it.

Read more comments on GitHub >

github_iconTop Results From Across the Web

minimaxir/big-list-of-naughty-strings - GitHub
The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input...
Read more >
How to sanitize HTML strings with vanilla JS to reduce your ...
In the loop, we'll check if the attribute isPossiblyDangerous() using a helper function. If it's not, we'll use the continue operator to skip...
Read more >
String Guide — Firefox Source Docs documentation - Mozilla
This guide documents the string classes which are visible to code within the Mozilla codebase (code which is linked into libxul ). Introduction¶....
Read more >
Unicode and passing strings — Cython 3.0.0a11 documentation
If you are dealing with Unicode text, you are usually better off using Python Unicode string objects than trying to work with encoded...
Read more >
Good C string library [closed] - Stack Overflow
SDS is a string library for C designed to augment the limited libc string handling functionalities by adding heap allocated strings that are:...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found