The dangers of using bracket notation?

There are two ways to access properties in an JS object, dot notation and bracket notation and I know that most of developers uses bracket notation when they want to dynamically access properties in an object, recently I came across an article talking about dangers of using bracket notation, the article is simple and not detailed, I kind understand what the article is talking about but like I said the article is not detailed and also it did not show any kinds of solutions to prevent dangers of using bracket notation, so my problems are:

First: What are some most common dangers things that can happen when I am using bracket notation?

Second: When I am using bracket notation, what kinds of protections can I do to avoid all those different kinds of dangers things towards using bracket notation?

I apologize if those are stupid questions but I just start my coding journey 2 months ago and I really like it and would like to learn and understand more about javascript.

hi there,
you may find this useful

Hi, thank you for the information article but sorry, this is not what I am looking for, the article only talks about how to access properties in an object and different ways to get properties from an object but what I am looking for is more towards “what are the dangers of using bracket notation” and “how to prevent the dangers of using bracket notation when using them”. :slightly_smiling_face:

You can access all properties of an object, including prototype properties. So in theory user input that was directly evaluated as object access could allow some kind of remote execution of properties on an object.

Practically, this is vanishingly unlikely to be an issue. If it’s a server side application, why are you allowing user input to directly manipulate the server side code. If it’s a browser side application, the user has complete access to the code anyway, you can’t stop them doing anything. And the browser is sandboxed, browser-side JS code can’t affect the underlying system the browser is running on.

I mean, it’s how you access objects a large % of the time, if you need to dynamically access an object it’s not like there’s a choice or an alternative technique.

1 Like

I would not say its ‘dangerous’. You can accidentally access a property that does not exist if you’re not careful, but that’s not ‘dangerous’.

1 Like

Yeah, if you’re just worried about accidental access, then you can a. code defensively and make sure important functions check the input against the object before accessing, or b. write a proxy that does that. If you’re worried about you accidentally writing something that accesses something it shouldn’t, then using Typescript will normally prevent you doing something stupid


Can you point us to that article? Because I’m not exactly sure why the author would call bracket notation dangerous.


I did some more research on the web and find out few more info about problems of using square bracket notation and some of them includes solutions.

One of the problem is something about user input and I know that I need to sanitize the user input value, but what about other problems? Are they common problems that I need to watch out when I am writing JS codes?

Also one of the live code streamer also mentioned one of a problem square bracket notation might cause(something about prototype access).

Go to time(3:12:35)
Prototype access problem(Youtube JS code streamer)

All three of these issues are really problems with using user input rather than bracket notation itself. These same issues exist for a lot of different aspects of programming that use user input to do something. Yes, this is a common problem that you need to watch out for whenever you use input provided by the user. The solution is to sanitize and validate any user input before you actually use it.


What about the youtube video? at time 3:12:35, something about prototype access…

It’s the same thing, he’s talking about validating any user input to make sure it can’t access something in the object you don’t want it to, such as prototype properties/methods. If you don’t know what object prototypes are then I suggest you read up on them because they play a huge role in JS. And his suggestion to use a Map instead of an object is a way to prevent some of these issues because Maps don’t have the prototype baggage that objects do.

1 Like