Skip to content

fix: guard action lookups against prototypes#16236

Open
vamshikrishnaramasamy wants to merge 1 commit into
sveltejs:mainfrom
vamshikrishnaramasamy:fix/prototype-safe-action-lookup
Open

fix: guard action lookups against prototypes#16236
vamshikrishnaramasamy wants to merge 1 commit into
sveltejs:mainfrom
vamshikrishnaramasamy:fix/prototype-safe-action-lookup

Conversation

@vamshikrishnaramasamy

@vamshikrishnaramasamy vamshikrishnaramasamy commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Fixes #15525.

This uses own-property checks when resolving named form actions and remote manifest entries, so prototype properties like toString and constructor are treated like missing actions/remotes instead of being invoked.

Added a regression test for ?/toString on a named form action.

Tests:

  • pnpm --dir packages/kit/test/apps/basics exec playwright test test/server.test.js --grep "ignores Object.prototype properties"
  • pnpm --dir packages/kit exec prettier --config ../../.prettierrc --check src/runtime/server/page/actions.js src/runtime/server/remote.js test/apps/basics/test/server.test.js
  • pnpm --dir packages/kit exec tsc --noEmit --pretty false

@pkg-svelte-dev

pkg-svelte-dev Bot commented Jul 3, 2026

Copy link
Copy Markdown

Install the latest version of @sveltejs/kit from afb86c5:

pnpm add https://pkg.svelte.dev/@sveltejs/kit/c/afb86c5e0459fbbd0a7ca68259a26521ce496e8c

Open in pkg.svelte.dev: https://pkg.svelte.dev/repos/kit/pr/16236

Note

This PR is from a fork. A maintainer must approve approve each commit before it can be built and installed.

@changeset-bot

changeset-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: afb86c5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Form action lookup resolves Object.prototype methods via bracket notation

1 participant