Because on NodeJS <= v0.10 hasOwnProperty returns false for __proto__ on
Object.prototype. Function.prototype and Object.prototype are roots so
it should be safe to use 'in' instead.
+ Fix "calling Function via Object.assign" test. Now fails on accesing
"bind" first because new implementation is a bit more restrictive.
+ Fix "extend the class instance". Custom methods on instances are now
allowed and ghosting (overridding) is explicitly not.
+ Add ghosting tests for class instances and plain objects.
To safely restore inherited properties and methods on plain objects e.g
with Object.create, some overly broad conditions need to be removed and
others added to more explicitly exclude unsafe properties.
isSafeMethod() has been modified as bellow, roughly the same conditions
are also now used in isSafeProperty() for get/setSafeProperty() which
previously restricted all inherited properties.
- Require __proto__ to have own-method
Intended to prevent ghosting of class methods, but also prevents
access to properties from further up the chain.
+ Require any own-method to not be in __proto__
Explicitly prevents ghosting but not inheritance. Possible to
defeat only if proto chaining through Object.create is allowed.
- Require object to not be function
Intended to prevent unsafe function methods like 'bind', but
also restricts function own-properties.
+ Require method not be in Function.prototype
Explicitly prevents unsafe function methods like 'bind',
without restricting function own properties.
Other conditions should be equivalent. The overall affect should be
that inherited properties and methods that are safe and not ghosted
should be allowed.
