Protect against escaped evil escaping

CHANGELOG.md

@@ -0,0 +1,11 @@
+## 1.0.1 (Unreleased)
+
+Bug Fixes
+
+- Protect against escaped evil escaping.
+
+**A note on security:** Turbo Combine Reducers uses `new Function` dynamic function evaluation (i.e. an `eval` equivalent) to pre-compile the state value reducer. The risk surface area is limited to reducer property names. Most applications will never (and _should never_) include a dynamic, user-input value as a reducer key and thus would not be exposed to any risk, including in prior releases. The changes in this release more aggressively sanitize reducer keys to offer protection even in the limited use-case where an unsafe user-input reducer key would be intended to be used.
+
+## 1.0.0 (2018-10-20)
+
+- Initial release

__tests__/index.js

@@ -38,8 +38,14 @@ describe( 'combineReducers', () => {
 	} );
 
 	it( 'is not susceptible to evil', () => {
-		combineReducers( {
-			'\':(function(){throw "EVIL";})(),\'a': () => 0,
-		} );
+		try {
+			combineReducers( {
+				'\\\':(function(){throw "EVIL"})()};//': () => 0,
+			} )();
+		} catch ( error ) {
+			if ( error === 'EVIL' ) {
+				throw error;
+			}
+		}
 	} );
 } );

index.js

@@ -11,13 +11,13 @@ function combineReducers( reducers ) {
 			// used as string literals of the object properties. To ensure that
 			// the property would not prematurely terminate the string literal
 			// token, and considering termination by its ending single quote,
-			// escape all single quotes of the key.
+			// remove any single quotes of the key.
 			//
 			// "A string literal is zero or more Unicode code points enclosed
 			// in single or double quotes."
 			//
 			// See: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-literals-string-literals
-			key = keys[ i ].replace( /'/g, '\\\'' );
+			key = keys[ i ].replace( /'/g, '' );
 
 			fn += '\'' + key + '\':r[\'' + key + '\'](s[\'' + key + '\'],a),';
 		}