aboutsummaryrefslogtreecommitdiffstats
path: root/ui/widget.js
diff options
context:
space:
mode:
authorMichał Gołębiowski-Owczarek <m.goleb@gmail.com>2024-10-30 09:58:01 +0100
committerGitHub <noreply@github.com>2024-10-30 09:58:01 +0100
commitd591bdd494cf28a399ea7d7ae7ccbae3a5cab020 (patch)
tree2792bb122dc90534685403f224e0cef18e685d15 /ui/widget.js
parent85bed8ddd893390fd41bd7e93d2a44a1b5d9b885 (diff)
downloadjquery-ui-d591bdd494cf28a399ea7d7ae7ccbae3a5cab020.tar.gz
jquery-ui-d591bdd494cf28a399ea7d7ae7ccbae3a5cab020.zip
Widget: Don't let widget name affect `$.ui` prototype & constructor
This is an edge case and it only affects code accepting untrusted input as a widget name, but it's still technically correct to filter these out. Closes gh-2310
Diffstat (limited to 'ui/widget.js')
-rw-r--r--ui/widget.js3
1 files changed, 3 insertions, 0 deletions
diff --git a/ui/widget.js b/ui/widget.js
index 7201b4fbf..d5fbd885c 100644
--- a/ui/widget.js
+++ b/ui/widget.js
@@ -56,6 +56,9 @@ $.widget = function( name, base, prototype ) {
var namespace = name.split( "." )[ 0 ];
name = name.split( "." )[ 1 ];
+ if ( name === "__proto__" || name === "constructor" ) {
+ return $.error( "Invalid widget name: " + name );
+ }
var fullName = namespace + "-" + name;
if ( !prototype ) {