From 0a11c8a7f6ea06b644e52ee0a95356254c1cdba7 Mon Sep 17 00:00:00 2001
From: Luke Edwards <luke.edwards05@gmail.com>
Date: Wed, 27 Jan 2021 18:44:52 -0800
Subject: [PATCH] fix: break loop on unsafe keys;

- Verified values w/ lodash
- Closes #22
---
 src/index.js  |  2 +-
 test/index.js | 20 +++++++-------------
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/src/index.js b/src/index.js
index 6589bd6..f5628ec 100644
--- a/src/index.js
+++ b/src/index.js
@@ -3,7 +3,7 @@ export function dset(obj, keys, val) {
 	var i=0, l=keys.length, t=obj, x, k;
 	for (; i < l;) {
 		k = keys[i++];
-		if (k === '__proto__' || k === 'constructor' || k === 'prototype') continue;
+		if (k === '__proto__' || k === 'constructor' || k === 'prototype') break;
 		t = t[k] = (i === l) ? val : (typeof(x=t[k])===typeof(keys)) ? x : (keys[i]*0 !== 0 || !!~(''+keys[i]).indexOf('.')) ? {} : [];
 	}
 }
diff --git a/test/index.js b/test/index.js
index 853f5ab..fbecbc8 100644
--- a/test/index.js
+++ b/test/index.js
@@ -251,8 +251,7 @@ pollution('should protect against "__proto__" assignment', () => {
 
 	assert.equal(input.__proto__, before);
 	assert.equal(input, {
-		abc: 123,
-		hello: 123
+		abc: 123
 	});
 
 	assert.is.not({}.hello, 123);
@@ -269,7 +268,7 @@ pollution('should protect against "__proto__" assignment :: nested', () => {
 	assert.equal(input, {
 		abc: 123,
 		xyz: {
-			hello: 123
+			// empty
 		}
 	});
 
@@ -284,17 +283,17 @@ pollution('should ignore "prototype" assignment', () => {
 	dset(input, 'a.prototype.hello', 'world');
 
 	assert.is(input.a.prototype, undefined);
-	assert.is(input.a.hello, 'world');
+	assert.is(input.a.hello, undefined);
 
 	assert.equal(input, {
 		a: {
-			hello: 'world'
+			// converted, then aborted
 		}
 	});
 
 	assert.is(
 		JSON.stringify(input),
-		'{"a":{"hello":"world"}}'
+		'{"a":{}}'
 	);
 });
 
@@ -319,16 +318,11 @@ pollution('should ignore "constructor" assignment :: nested', () => {
 
 	dset(input, 'constructor.prototype.hello', 'world');
 	assert.is(input.hasOwnProperty('constructor'), false);
-	assert.is(input.hasOwnProperty('hello'), true);
+	assert.is(input.hasOwnProperty('hello'), false);
 
 	assert.equal(input, {
-		hello: 'world'
+		// empty
 	});
-
-	assert.is(
-		JSON.stringify(input),
-		'{"hello":"world"}'
-	);
 });
 
 pollution.run();