From c5901be1dfbe66b787159600e6824e3dd799fd2a Mon Sep 17 00:00:00 2001 From: Nick Nisi Date: Tue, 10 Mar 2020 09:25:04 -0500 Subject: [PATCH] Merge pull request from GHSA-3hw5-q855-g6cw Prevent the special __proto__ property name from being mixed in to prevent polluting the prototoype of the object being mixed into in the jqMix function in jq.js (cherry picked from commit 47d1b302b5b23d94e875b77b9b9a8c4f5622c9da) --- jq.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jq.js b/jq.js index 81d3387c65..b0c2c21ad3 100644 --- a/jq.js +++ b/jq.js @@ -455,7 +455,7 @@ dojo.query differences that cause some tests to fail: // inherited from Object.prototype. For example, if obj has a custom // toString() method, don't overwrite it with the toString() method // that props inherited from Object.prototype - if((tobj[x] === undefined || tobj[x] != props[x]) && props[x] !== undefined && obj != props[x]){ + if(x !== '__proto__ ' && ((tobj[x] === undefined || tobj[x] != props[x])) && props[x] !== undefined && obj != props[x]){ if(dojo.isObject(obj[x]) && dojo.isObject(props[x])){ if(dojo.isArray(props[x])){ obj[x] = props[x];