Fix Prototype Pollution vulnerability (CVE-2023-26102)

JordiVM · JordiVM · commit 6671f0f18d93 · 2023-04-05T18:42:43.000+02:00
diff --git a/lib/rangy-core.js b/lib/rangy-core.js
@@ -158,6 +158,9 @@
         util.extend = extend = function(obj, props, deep) {
             var o, p;
             for (var i in props) {
+                if (i === "__proto__" || i === "constructor" || i === "prototype") {
+                    continue;
+                }
                 if (props.hasOwnProperty(i)) {
                     o = obj[i];
                     p = props[i];
@@ -3893,4 +3896,4 @@
     }
 
     return api;
-}, this);
+}, this);
