diff --git a/lib/index.ts b/lib/index.ts index 864cbac2..07d99e3b 100644 --- a/lib/index.ts +++ b/lib/index.ts @@ -47,7 +47,7 @@ class Y18N { this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true // internal stuff. - this.cache = {} + this.cache = Object.create(null) this.writeQueue = [] } diff --git a/test/y18n-test.cjs b/test/y18n-test.cjs index d65b14b9..a14941b1 100644 --- a/test/y18n-test.cjs +++ b/test/y18n-test.cjs @@ -351,6 +351,24 @@ describe('y18n', function () { }) }) + // See: https://github.com/yargs/y18n/issues/96, + // https://github.com/yargs/y18n/pull/107 + describe('prototype pollution', () => { + it('does not pollute prototype, with __proto__ locale', () => { + const y = y18n() + y.setLocale('__proto__') + y.updateLocale({ polluted: '👽' }) + y.__('polluted').should.equal('👽') + ;(typeof polluted).should.equal('undefined') + }) + + it('does not pollute prototype, when __ is used with __proto__ locale', () => { + const __ = y18n({ locale: '__proto__' }).__ + __('hello') + ;(typeof {}.hello).should.equal('undefined') + }) + }) + after(function () { rimraf.sync('./test/locales/fr.json') })