Usage of default-prototype Object for URL params results in parsing problems

[ThomasRinsma]

Environment

Node v23.10.0, ufo version 1.5.4.

Reproduction

> ufo.getQuery("http://foo.com/?toString=a")
{ toString: [ [Function: toString], 'a' ] }

Describe the bug

The accumulator object used during query parsing (initialized here), is a regular JavaScript Object. This means that it all the default Object keys are valid keys:

> x = {};
{}
> x.<tab complete>
x.__proto__             x.constructor           x.hasOwnProperty        x.isPrototypeOf         x.propertyIsEnumerable
x.toLocaleString        x.toString              x.valueOf

As regular key-accessing is used, the prototype chain is followed, hence, the check here will not be undefined for those keys, and this assignment logic will be followed.

In other words, while there is a check for __proto__ and constructor to prevent prototype pollution (I presume), this does not solve the problem of accessing other keys in the object's prototype. A good solution would be to use Object.create(null) instead of {} to initialize object.

Additional context

No response

Logs

[pi0]

Thanks for report. Feel free to open a PR. You can use this pattern to avoid perf penalty of null object.