diff --git a/lib/parser.js b/lib/parser.js index 192382d3..08935917 100644 --- a/lib/parser.js +++ b/lib/parser.js @@ -1,7 +1,7 @@ // Generated by CoffeeScript 1.12.7 (function() { "use strict"; - var bom, defaults, events, isEmpty, processItem, processors, sax, setImmediate, + var bom, defaults, events, isEmpty, isValidKey, processItem, processors, sax, setImmediate, bind = function(fn, me){ return function(){ return fn.apply(me, arguments); }; }, extend = function(child, parent) { for (var key in parent) { if (hasProp.call(parent, key)) child[key] = parent[key]; } function ctor() { this.constructor = child; } ctor.prototype = parent.prototype; child.prototype = new ctor(); child.__super__ = parent.prototype; return child; }, hasProp = {}.hasOwnProperty; @@ -22,6 +22,10 @@ return typeof thing === "object" && (thing != null) && Object.keys(thing).length === 0; }; + isValidKey = function(key) { + return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; + }; + processItem = function(processors, item, key) { var i, len, process; for (i = 0, len = processors.length; i < len; i++) { @@ -92,6 +96,9 @@ }; Parser.prototype.assignOrPush = function(obj, key, newValue) { + if (!isValidKey(key)) { + return; + } if (!(key in obj)) { if (!this.options.explicitArray) { return obj[key] = newValue; @@ -141,21 +148,23 @@ this.saxParser.onopentag = (function(_this) { return function(node) { var key, newValue, obj, processedKey, ref; - obj = Object.create(null); + obj = {}; obj[charkey] = ""; if (!_this.options.ignoreAttrs) { ref = node.attributes; for (key in ref) { if (!hasProp.call(ref, key)) continue; if (!(attrkey in obj) && !_this.options.mergeAttrs) { - obj[attrkey] = Object.create(null); + obj[attrkey] = {}; } newValue = _this.options.attrValueProcessors ? processItem(_this.options.attrValueProcessors, node.attributes[key], key) : node.attributes[key]; processedKey = _this.options.attrNameProcessors ? processItem(_this.options.attrNameProcessors, key) : key; - if (_this.options.mergeAttrs) { - _this.assignOrPush(obj, processedKey, newValue); - } else { - obj[attrkey][processedKey] = newValue; + if (isValidKey(processedKey)) { + if (_this.options.mergeAttrs) { + _this.assignOrPush(obj, processedKey, newValue); + } else { + obj[attrkey][processedKey] = newValue; + } } } } @@ -226,7 +235,7 @@ } if (_this.options.explicitChildren && !_this.options.mergeAttrs && typeof obj === 'object') { if (!_this.options.preserveChildrenOrder) { - node = Object.create(null); + node = {}; if (_this.options.attrkey in obj) { node[_this.options.attrkey] = obj[_this.options.attrkey]; delete obj[_this.options.attrkey]; @@ -241,10 +250,12 @@ obj = node; } else if (s) { s[_this.options.childkey] = s[_this.options.childkey] || []; - objClone = Object.create(null); + objClone = {}; for (key in obj) { if (!hasProp.call(obj, key)) continue; - objClone[key] = obj[key]; + if (isValidKey(key)) { + objClone[key] = obj[key]; + } } s[_this.options.childkey].push(objClone); delete obj["#name"]; @@ -258,7 +269,7 @@ } else { if (_this.options.explicitRoot) { old = obj; - obj = Object.create(null); + obj = {}; obj[nodeName] = old; } _this.resultObject = obj;