Revert "Stop protecting against String.prototype modifications in shelljs"

This reverts commit 7a2e6de78e, reinstating @dgreensp's earlier commit 98886f98ef. Related: #5107
2026-05-02 03:01:46 -04:00 · 2016-02-29 16:57:57 -05:00
parent 9ff3cdc7eb
commit db437e23c3
2 changed files with 19 additions and 0 deletions
--- a/tools/cordova/project.js
+++ b/tools/cordova/project.js
@@ -13,6 +13,7 @@ import main from '../cli/main.js';
 import httpHelpers from '../utils/http-helpers.js';
 import { execFileSync, execFileAsync } from '../utils/processes.js';

+import './protect-string-proto.js'; // must always come before 'cordova-lib'
 import { cordova as cordova_lib, events as cordova_events, CordovaError }
  from 'cordova-lib';
 import cordova_util from 'cordova-lib/src/cordova/util.js';
--- a/tools/cordova/protect-string-proto.js
+++ b/tools/cordova/protect-string-proto.js
@@ -0,0 +1,18 @@
+// `cordova-lib` depends on `shelljs`, which modifies String.prototype
+// (which is BAD).  See:
+// https://github.com/arturadib/shelljs/issues/159
+//
+// The following code protects the tool environment (which is also
+// where build plugins run) from having a polluted String.prototype.
+// One JS library in particular, String.js (before v3.3.1), is
+// sensitive to String prototype pollution.
+//
+// Fortunately, `cordova-lib` does not seem to rely on the presence of
+// `String#to` or `String#toEnd` (or this code would break it).
+//
+// This code can be removed when `shelljs` cleans up its act and
+// `cordova-lib` uses a new version, or when `cordova-lib` moves away
+// from `shelljs`.
+
+Object.defineProperty(String.prototype, 'to', { set: function () {} });
+Object.defineProperty(String.prototype, 'toEnd', { set: function () {} });