diff options
author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2024-10-30 09:58:01 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-10-30 09:58:01 +0100 |
commit | d591bdd494cf28a399ea7d7ae7ccbae3a5cab020 (patch) | |
tree | 2792bb122dc90534685403f224e0cef18e685d15 /ui/widget.js | |
parent | 85bed8ddd893390fd41bd7e93d2a44a1b5d9b885 (diff) | |
download | jquery-ui-d591bdd494cf28a399ea7d7ae7ccbae3a5cab020.tar.gz jquery-ui-d591bdd494cf28a399ea7d7ae7ccbae3a5cab020.zip |
Widget: Don't let widget name affect `$.ui` prototype & constructor
This is an edge case and it only affects code accepting untrusted input as
a widget name, but it's still technically correct to filter these out.
Closes gh-2310
Diffstat (limited to 'ui/widget.js')
-rw-r--r-- | ui/widget.js | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/ui/widget.js b/ui/widget.js index 7201b4fbf..d5fbd885c 100644 --- a/ui/widget.js +++ b/ui/widget.js @@ -56,6 +56,9 @@ $.widget = function( name, base, prototype ) { var namespace = name.split( "." )[ 0 ]; name = name.split( "." )[ 1 ]; + if ( name === "__proto__" || name === "constructor" ) { + return $.error( "Invalid widget name: " + name ); + } var fullName = namespace + "-" + name; if ( !prototype ) { |