skip all __ keys instead of only __proto__

Author: archmoj

src/lib/index.js

@@ -925,6 +925,11 @@ lib.objectFromPath = function(path, value) {
 var dottedPropertyRegex = /^([^\[\.]+)\.(.+)?/;
 var indexedPropertyRegex = /^([^\.]+)\[([0-9]+)\](\.)?(.+)?/;
 
+function notValid(prop) {
+    // guard against polluting __proto__ and other internals getters and setters
+    return prop.slice(0, 2) === '__';
+}
+
 lib.expandObjectPaths = function(data) {
     var match, key, prop, datum, idx, dest, trailingPath;
     if(typeof data === 'object' && !Array.isArray(data)) {
@@ -933,7 +938,7 @@ lib.expandObjectPaths = function(data) {
                 if((match = key.match(dottedPropertyRegex))) {
                     datum = data[key];
                     prop = match[1];
-                    if(prop === '__proto__') continue;
+                    if(notValid(prop)) continue;
 
                     delete data[key];
 
@@ -942,7 +947,7 @@ lib.expandObjectPaths = function(data) {
                     datum = data[key];
 
                     prop = match[1];
-                    if(prop === '__proto__') continue;
+                    if(notValid(prop)) continue;
 
                     idx = parseInt(match[2]);
 
@@ -973,11 +978,11 @@ lib.expandObjectPaths = function(data) {
                         // This is the case where this property is the end of the line,
                         // e.g. xaxis.range[0]
 
-                        if(prop === '__proto__') continue;
+                        if(notValid(prop)) continue;
                         data[prop][idx] = lib.expandObjectPaths(datum);
                     }
                 } else {
-                    if(key === '__proto__') continue;
+                    if(notValid(key)) continue;
                     data[key] = lib.expandObjectPaths(data[key]);
                 }
             }
@@ -1065,7 +1070,7 @@ lib.templateString = function(string, obj) {
             getterCache[key] = getterCache[key] || lib.nestedProperty(obj, key).get;
             v = getterCache[key]();
         }
-        return lib.isValidTextValue(v) ? v : '';
+        return lib.notValidTextValue(v) ? v : '';
     });
 };
 
@@ -1298,14 +1303,14 @@ lib.fillText = function(calcPt, trace, contOut) {
         function(v) { contOut.text = v; };
 
     var htx = lib.extractOption(calcPt, trace, 'htx', 'hovertext');
-    if(lib.isValidTextValue(htx)) return fill(htx);
+    if(lib.notValidTextValue(htx)) return fill(htx);
 
     var tx = lib.extractOption(calcPt, trace, 'tx', 'text');
-    if(lib.isValidTextValue(tx)) return fill(tx);
+    if(lib.notValidTextValue(tx)) return fill(tx);
 };
 
 // accept all truthy values and 0 (which gets cast to '0' in the hover labels)
-lib.isValidTextValue = function(v) {
+lib.notValidTextValue = function(v) {
     return v || v === 0;
 };