Use of for-in comprehension blocks¶
ID: js/for-in-comprehensionKind: problemSecurity severity: Severity: errorPrecision: very-highTags: - quality - maintainability - readability - portability - language-features - external/cwe/cwe-758Query suites: - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
for-in blocks in array comprehensions are a Mozilla-specific language extensions that is no longer supported even by SpiderMonkey, and is unlikely to be included in future ECMAScript standards. This language feature should not be used.
Recommendation¶
Thefor-in block can be replaced by a (standards-compliant)for-of block iterating over a list of property names obtained, for example, fromObject.keys.
Example¶
In the following contrived example, afor-in block is used to iterate over the keysi of an array and construct an array of strings of the form"v=a[i]", wherev is the value ofa[i].
vara=[23,,42];vardesc=[for(iina)i+" = a["+i+"]"];
The example can be rewritten to use afor-of block iterating overObject.keys(a) instead.
vara=[23,,42];vardesc=[for(iofObject.keys(a))i+" = a["+i+"]"];
Note thatObject.keys only includes own properties, not properties inherited from a prototype. If the latter behavior is needed, the array comprehension should be replaced by afor-in loop that imperatively populates the result array.
References¶
Mozilla Developer Network:Array comprehensions: Differences to the older JS1.7.2/JS1.8 comprehensions.
Common Weakness Enumeration:CWE-758.