Fix Prototype Pollution vulnerability (CVE-2023-26102) [security] #482
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
marcbachmann
approved these changes
Apr 10, 2023
|
@timdown feel free to add me as maintainer here and on npm if you don't have the time to maintain this module. |
|
suggestion: People aware of this vulnerability can patch it themselves for now, until a fix has been merged. |
FL3XX-dev
pushed a commit
to FL3XX-dev/rangy
that referenced
this pull request
Nov 2, 2023
|
@timdown, please, merge the fix and accept new maintainers. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #481
Rangy was flagged with Prototype Pollution vulnerability at the end of 2022. This PR proposes a solution by skipping the problematic object attributes in
rangy.util.extend()