fix: do not allow invalid hazardous keys in query

[cawa-93]

I drew attention to that when parsing the search query, it is possible to some extent manipulate the prototype of the returned object. I added a few checks so that at least partially prevent it.

[cawa-93]

As a more rigorous and reliable alternative: return the Map or URLSearchParams instead of the object. Of course, this us breaking changes.

[posva]

Thanks, I think this makes sense as it could avoid weird forced bugs when sharing a URL with intentionally wrong query params

[posva]

Thanks!

[posva]

I think I will revert this change as it forbids keys like toString which are totally valid keys in objects and one can still avoid any set of query keys by provide a parseQuery and stringifyQuery.
__proto__ cannot be overridden anyway.

Do you have any real scenario cases where this is a problem? Otherwise I will proceed to revert this change in the next patch @cawa-93

[cawa-93]

No. I have no real scenarios. I see this as a safeguard against mistakes may by developer that lead to security risks

[posva]

so what security risks were you thinking about? That's a scenario

[cawa-93]

I thinking about Prototype pollution, but I don't have any real example. I only assume that there may be some scenarios that may have some scenarios may exist when the developer makes some non-standard behavior when it can lead to problems. I only guess that there may be some scenarios (maybe when the developer makes some non-standard behavior) when it can lead to problems.

[posva]

Thanks for the input!