{ "slug": "js_prototype_errors", "term": "Prototype Chain Errors & hasOwnProperty", "category": "javascript", "difficulty": "intermediate", "short": "Iterating objects with for...in includes inherited prototype properties — use hasOwnProperty() or Object.keys() to iterate only own properties.", "long": "Every JS object has a prototype chain. for...in iterates all enumerable properties including inherited ones. This causes bugs when libraries add properties to Object.prototype (rare but real). Safe iteration: Object.keys(obj) — own enumerable string keys, Object.entries(obj) — key-value pairs, for (const key of Object.keys(obj)). hasOwnProperty() check: obj.hasOwnProperty(key) — but safe version is Object.prototype.hasOwnProperty.call(obj, key) since obj might not have hasOwnProperty (Object.create(null)). Object.create(null) creates a prototype-free object — safe for dictionaries.", "aliases": [], "tags": [ "javascript", "prototype", "iteration", "security" ], "misconception": "for...in only iterates own properties — it iterates ALL enumerable properties in the prototype chain, including inherited ones.", "why_it_matters": "Prototype pollution attacks (CVE-level vulnerabilities) work by injecting properties into Object.prototype that then appear in for...in loops across all objects.", "common_mistakes": [ "Using for...in without hasOwnProperty check.", "Calling obj.hasOwnProperty() directly — fails on Object.create(null) objects.", "Not knowing Object.keys() only returns own enumerable properties." ], "when_to_use": [], "avoid_when": [], "related": [ "prototype_pollution", "js_coercion_gotchas", "js_object_mutation_bugs" ], "prerequisites": [ "js_closures" ], "refs": [ "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwn" ], "bad_code": "const obj = { name: 'Paul', role: 'admin' };\nfor (const key in obj) {\n // Includes prototype properties if any were added:\n console.log(key, obj[key]);\n}", "good_code": "// Safe iteration:\nfor (const [key, value] of Object.entries(obj)) {\n console.log(key, value); // Only own properties\n}\n\n// Safe hasOwnProperty call (works on Object.create(null) too):\nconst has = Object.prototype.hasOwnProperty.call(obj, 'name');\n\n// Prototype-free object for dictionaries:\nconst dict = Object.create(null);\ndict['key'] = 'value'; // No prototype chain", "quick_fix": "Replace for...in with Object.keys()/Object.entries(). Use Object.hasOwn(obj, key) (ES2022) instead of hasOwnProperty. Use Object.create(null) for dict-style objects.", "severity": "medium", "effort": "low", "created": "2026-03-22", "updated": "2026-04-05", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/js_prototype_errors", "html_url": "https://codeclaritylab.com/glossary/js_prototype_errors", "json_url": "https://codeclaritylab.com/glossary/js_prototype_errors.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Prototype Chain Errors & hasOwnProperty](https://codeclaritylab.com/glossary/js_prototype_errors) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/js_prototype_errors" } } } }