node.js v0.11.x and __proto__

Ghost is an awesome platform and I recently opened a pull request to add support for static pages. After some discussion I rewrote parts of the API so that by default only normal posts are returned (a static page is a post with the page field set to true). The admin interface should of course still list all posts (including pages).

The request to the API to show all posts looks like this: ?status=all&orderBy[]=updated_at&orderBy[]=DESC&where[page]=all. Now for some reason this API request works when running Ghost on node v0.10.x but returns empty on node v0.11.x.

After some digging I noticed that the path part of the URL was being decoded slightly different:

Node.js v0.11.x:

{ 
  where: { page: 'all', [__proto__]: {} },
  status: 'all',
  orderBy: [ 'updated_at', 'DESC' ] 
}

Node.js v0.10.x:

{ 
  where: { page: 'all' },
  status: 'all',
  orderBy: [ 'updated_at', 'DESC' ] 
}

Notice that __proto__ field? Apparently that's from a new feature in the v8 engine that node is build on.

Ghost is an express.js app and express.js relies on a node module called qs (node-querystring). This module parses the query string into a JavaScript object. For node v0.10.x everything works fine, but on v0.11.x it yields an extra property called __proto__. An issue has already been raised on GitHub.