v2.0.3

2019-07-27 20:57:02 -04:00 · 2019-07-27 20:57:02 -04:00 · 0d10dc2c89
commit 0d10dc2c89
parent e58e9186f8
6 changed files with 13 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -18,7 +18,7 @@ mithril.js [![npm Version](https://img.shields.io/npm/v/mithril.svg)](https://ww
 ## What is Mithril?
-A modern client-side Javascript framework for building Single Page Applications. It's small (<!-- size -->9.77 KB<!-- /size --> gzipped), fast and provides routing and XHR utilities out of the box.
+A modern client-side Javascript framework for building Single Page Applications. It's small (<!-- size -->9.78 KB<!-- /size --> gzipped), fast and provides routing and XHR utilities out of the box.
 Mithril is used by companies like Vimeo and Nike, and open source platforms like Lichess 👍.
--- a/docs/change-log.md
+++ b/docs/change-log.md
@ -1,5 +1,6 @@
 # Change log
 - [v2.0.3](#v203)
 - [v2.0.1](#v201)
 - [v2.0.0](#v200)
 - [Migrating from v1.x](migration-v1x.md)
@ -18,11 +19,13 @@
 -->
-### v2.0.2
+### v2.0.3
 - Ensure vnodes are removed correctly in the face of `onbeforeremove` resolving after new nodes are added ([#2492](https://github.com/MithrilJS/mithril.js/pull/2492) [@isiahmeadows](https://github.com/isiahmeadows))
 - Fix prototype pollution vulnerability in `m.parseQueryString` ([#2494](https://github.com/MithrilJS/mithril.js/pull/2494) [@isiahmeadows](https://github.com/isiahmeadows))
 *v2.0.2 was skipped as it had a critical flaw and was immediately unpublished.*
 ### v2.0.1
 Same as v2.0.0, but with a publish that didn't have a botched upload.
--- a/mithril.js
+++ b/mithril.js
@ -1510,7 +1510,6 @@ var parseQueryString = function(string) {
 		for (var j0 = 0; j0 < levels.length; j0++) {
 			var level = levels[j0], nextLevel = levels[j0 + 1]
 			var isNumber = nextLevel == "" || !isNaN(parseInt(nextLevel, 10))
 			var isValue = j0 === levels.length - 1
 			if (level === "") {
 				var key5 = levels.slice(0, j0).join()
 				if (counters[key5] == null) {
@ -1520,15 +1519,15 @@ var parseQueryString = function(string) {
 			}
 			// Disallow direct prototype pollution
 			else if (level === "__proto__") break
-			if (isValue) cursor[level] = value2
+			if (j0 === levels.length - 1) cursor[level] = value2
 			else {
 				// Read own properties exclusively to disallow indirect
 				// prototype pollution
-				value2 = Object.getOwnPropertyDescriptor(cursor, level)
+				var desc = Object.getOwnPropertyDescriptor(cursor, level)
-				if (value2 != null) value2 = value2.value
+				if (desc != null) desc = desc.value
-				if (value2 == null) value2 = cursor[level] = isNumber ? [] : {}
+				if (desc == null) cursor[level] = desc = isNumber ? [] : {}
 				cursor = desc
 			}
 			cursor = value2
 		}
 	}
 	return data0
--- a/mithril.min.js
+++ b/mithril.min.js
--- a/package-lock.json
+++ b/package-lock.json
@ -1,6 +1,6 @@
 {
  "name": "mithril",
-  "version": "2.0.2",
+  "version": "2.0.3",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "mithril",
-  "version": "2.0.2",
+  "version": "2.0.3",
  "description": "A framework for building brilliant applications",
  "author": "Leo Horie",
  "license": "MIT",