Closed autopulated closed 1 year ago
This PR is even more important to merge because it Closes #663.
@Leonidas-from-XIV What do you think? This PR will fix the exploit reported against the latest version.
I am sort of wondering if this needs to be a breaking change? I could imagine just checking for __proto__
would be enough.
Actually, scratch that, you can inject shenanigans like hasOwnProperty
as well I guess, so this would be an utter mess to try to capture.
Prevent parsing of documents containing tags or attributes named
__proto__
from overwriting the prototype on returned objects (See #593)This is a breaking change, and will break any users of this library which use, for example
.hasOwnProperty
on the returned objects. (The tests here have been updated to avoid this).