Core: Prevent Object.prototype pollution for $.extend( true, ... )

Closes gh-4333
2024-11-23 02:54:22 +00:00 · 2019-03-25 17:57:30 +01:00 · 2019-03-25 17:57:30 +01:00 · 753d591aea
commit 753d591aea
parent 669f720edc
2 changed files with 9 additions and 1 deletions
--- a/src/core.js
+++ b/src/core.js
@ -158,8 +158,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 			for ( name in options ) {
 				copy = options[ name ];

+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}

--- a/test/unit/core.js
+++ b/test/unit/core.js
@ -1062,6 +1062,13 @@ QUnit.test( "jQuery.extend(true,{},{a:[], o:{}}); deep copy with array, followed
 	assert.ok( !Array.isArray( result.object ), "result.object wasn't paved with an empty array" );
 } );

+QUnit.test( "jQuery.extend( true, ... ) Object.prototype pollution", function( assert ) {
+	assert.expect( 1 );
+
+	jQuery.extend( true, {}, JSON.parse( "{\"__proto__\": {\"devMode\": true}}" ) );
+	assert.ok( !( "devMode" in {} ), "Object.prototype not polluted" );
+} );
+
 QUnit.test( "jQuery.each(Object,Function)", function( assert ) {
 	assert.expect( 23 );