Skip to content

Commit 581b19a

Browse files
autopulatedautopulated
committed
use Object.create(null) to create all parsed objects (prevent prototype replacement)
1 parent 1832e0b commit 581b19a

File tree

3 files changed

+20
-20
lines changed

3 files changed

+20
-20
lines changed

lib/parser.js

+5-5
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/parser.coffee

+5-5
Original file line numberDiff line numberDiff line change
@@ -102,12 +102,12 @@ class exports.Parser extends events
102102
charkey = @options.charkey
103103

104104
@saxParser.onopentag = (node) =>
105-
obj = {}
105+
obj = Object.create(null)
106106
obj[charkey] = ""
107107
unless @options.ignoreAttrs
108108
for own key of node.attributes
109109
if attrkey not of obj and not @options.mergeAttrs
110-
obj[attrkey] = {}
110+
obj[attrkey] = Object.create(null)
111111
newValue = if @options.attrValueProcessors then processItem(@options.attrValueProcessors, node.attributes[key], key) else node.attributes[key]
112112
processedKey = if @options.attrNameProcessors then processItem(@options.attrNameProcessors, key) else key
113113
if @options.mergeAttrs
@@ -163,7 +163,7 @@ class exports.Parser extends events
163163
# put children into <childkey> property and unfold chars if necessary
164164
if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object'
165165
if not @options.preserveChildrenOrder
166-
node = {}
166+
node = Object.create(null)
167167
# separate attributes
168168
if @options.attrkey of obj
169169
node[@options.attrkey] = obj[@options.attrkey]
@@ -181,7 +181,7 @@ class exports.Parser extends events
181181
# append current node onto parent's <childKey> array
182182
s[@options.childkey] = s[@options.childkey] or []
183183
# push a clone so that the node in the children array can receive the #name property while the original obj can do without it
184-
objClone = {}
184+
objClone = Object.create(null)
185185
for own key of obj
186186
objClone[key] = obj[key]
187187
s[@options.childkey].push objClone
@@ -198,7 +198,7 @@ class exports.Parser extends events
198198
if @options.explicitRoot
199199
# avoid circular references
200200
old = obj
201-
obj = {}
201+
obj = Object.create(null)
202202
obj[nodeName] = old
203203

204204
@resultObject = obj

test/parser.test.coffee

+10-10
Original file line numberDiff line numberDiff line change
@@ -547,13 +547,13 @@ module.exports =
547547

548548
'test single attrNameProcessors': skeleton(attrNameProcessors: [nameToUpperCase], (r)->
549549
console.log 'Result object: ' + util.inspect r, false, 10
550-
equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAMELCASEATTR'), true
551-
equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWERCASEATTR'), true)
550+
equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAMELCASEATTR'), true
551+
equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'LOWERCASEATTR'), true)
552552

553553
'test multiple attrNameProcessors': skeleton(attrNameProcessors: [nameToUpperCase, nameCutoff], (r)->
554554
console.log 'Result object: ' + util.inspect r, false, 10
555-
equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAME'), true
556-
equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWE'), true)
555+
equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAME'), true
556+
equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'LOWE'), true)
557557

558558
'test single attrValueProcessors': skeleton(attrValueProcessors: [nameToUpperCase], (r)->
559559
console.log 'Result object: ' + util.inspect r, false, 10
@@ -575,21 +575,21 @@ module.exports =
575575

576576
'test single tagNameProcessors': skeleton(tagNameProcessors: [nameToUpperCase], (r)->
577577
console.log 'Result object: ' + util.inspect r, false, 10
578-
equ r.hasOwnProperty('SAMPLE'), true
579-
equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true)
578+
equ {}.hasOwnProperty.call(r, 'SAMPLE'), true
579+
equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true)
580580

581581
'test single tagNameProcessors in simple callback': (test) ->
582582
fs.readFile fileName, (err, data) ->
583583
xml2js.parseString data, tagNameProcessors: [nameToUpperCase], (err, r)->
584584
console.log 'Result object: ' + util.inspect r, false, 10
585-
equ r.hasOwnProperty('SAMPLE'), true
586-
equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true
585+
equ {}.hasOwnProperty.call(r, 'SAMPLE'), true
586+
equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true
587587
test.finish()
588588

589589
'test multiple tagNameProcessors': skeleton(tagNameProcessors: [nameToUpperCase, nameCutoff], (r)->
590590
console.log 'Result object: ' + util.inspect r, false, 10
591-
equ r.hasOwnProperty('SAMP'), true
592-
equ r.SAMP.hasOwnProperty('TAGN'), true)
591+
equ {}.hasOwnProperty.call(r, 'SAMP'), true
592+
equ {}.hasOwnProperty.call(r.SAMP, 'TAGN'), true)
593593

594594
'test attrValueProcessors key param': skeleton(attrValueProcessors: [replaceValueByName], (r)->
595595
console.log 'Result object: ' + util.inspect r, false, 10

0 commit comments

Comments
 (0)