From d591bdd494cf28a399ea7d7ae7ccbae3a5cab020 Mon Sep 17 00:00:00 2001
From: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
Date: Wed, 30 Oct 2024 09:58:01 +0100
Subject: Widget: Don't let widget name affect `$.ui` prototype & constructor

This is an edge case and it only affects code accepting untrusted input as
a widget name, but it's still technically correct to filter these out.

Closes gh-2310
---
 tests/unit/widget/core.js | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'tests')

diff --git a/tests/unit/widget/core.js b/tests/unit/widget/core.js
index fe74e18e9..38e63a8c0 100644
--- a/tests/unit/widget/core.js
+++ b/tests/unit/widget/core.js
@@ -242,6 +242,28 @@ QUnit.test( "error handling", function( assert ) {
 	$.error = error;
 } );
 
+QUnit.test( "Prototype pollution", function( assert ) {
+	assert.expect( 3 );
+
+	var elem = $( "<div>" );
+
+	$.widget( "ui.testWidget", {} );
+
+	elem.testWidget();
+
+	try {
+		$.widget( "ui.__proto__", {} );
+	} catch ( _e ) {}
+	try {
+		$.widget( "ui.constructor", {} );
+	} catch ( _e ) {}
+
+	assert.strictEqual( Object.getPrototypeOf( $.ui ), Object.prototype,
+		"$.ui constructor not modified" );
+	assert.ok( $.ui instanceof Object, "$.ui is an Object instance" );
+	assert.notOk( $.ui instanceof Function, "$.ui is not a Function instance" );
+} );
+
 QUnit.test( "merge multiple option arguments", function( assert ) {
 	assert.expect( 1 );
 	$.widget( "ui.testWidget", {
-- 
cgit v1.2.3