Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use Object.create(null) to create all parsed objects #603

Merged
merged 1 commit into from
Apr 9, 2023
Merged

use Object.create(null) to create all parsed objects #603

merged 1 commit into from
Apr 9, 2023
+20 −20

Conversation

autopulated
Copy link
Contributor

@autopulated autopulated commented Mar 2, 2021
edited
Loading

Prevent parsing of documents containing tags or attributes named __proto__ from overwriting the prototype on returned objects (See #593)

This is a breaking change, and will break any users of this library which use, for example .hasOwnProperty on the returned objects. (The tests here have been updated to avoid this).

@coveralls
Copy link

Coverage Status

Coverage remained the same at 97.74% when pulling 581b19a on autopulated:master into 1832e0b on Leonidas-from-XIV:master.

@Arisamiga Arisamiga mentioned this pull request Apr 8, 2023
Closed
@OIRNOIR
Copy link

OIRNOIR commented Apr 8, 2023
edited
Loading

This PR is even more important to merge because it Closes #663.

@OIRNOIR
Copy link

OIRNOIR commented Apr 8, 2023

@Leonidas-from-XIV What do you think? This PR will fix the exploit reported against the latest version.

@Leonidas-from-XIV
Copy link
Owner

I am sort of wondering if this needs to be a breaking change? I could imagine just checking for __proto__ would be enough.

@Leonidas-from-XIV
Copy link
Owner

Actually, scratch that, you can inject shenanigans like hasOwnProperty as well I guess, so this would be an utter mess to try to capture.

@Leonidas-from-XIV Leonidas-from-XIV merged commit 50a492a into Leonidas-from-XIV:master Apr 9, 2023
@Leonidas-from-XIV Leonidas-from-XIV mentioned this pull request Apr 9, 2023
Closed
@simonkrol simonkrol mentioned this pull request Apr 10, 2023
Closed
@pmarkoulidakis pmarkoulidakis mentioned this pull request Apr 11, 2023
Closed
@Leonidas-from-XIV Leonidas-from-XIV mentioned this pull request Apr 11, 2023
Closed
Leonidas-from-XIV referenced this pull request Apr 11, 2023
@Leonidas-from-XIV
Add upper bound for coffeescript (for now)
b856cb8
@sfc-gh-dszmolka sfc-gh-dszmolka mentioned this pull request Apr 12, 2023
Closed
@Leonidas-from-XIV Leonidas-from-XIV mentioned this pull request Apr 13, 2023
Closed
@bakasmarius bakasmarius mentioned this pull request Apr 14, 2023
Open
@bryopsida bryopsida mentioned this pull request Apr 22, 2023
Merged
@brentsmyth brentsmyth mentioned this pull request May 19, 2023
Closed
3 tasks
Leonidas-from-XIV added a commit that referenced this pull request May 25, 2023
@Leonidas-from-XIV
Undo API changes from #603
044cfe5
@github-actions github-actions bot mentioned this pull request Jun 2, 2023
Closed
@github-actions github-actions bot mentioned this pull request Jan 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@autopulated @coveralls @OIRNOIR @Leonidas-from-XIV @guimard