Outdated Lodash Secure

This page uses Lodash 4.17.21 and shows a defense-in-depth approach: sanitize untrusted keys and avoid unsafe deep merges by default.

Lodash version:

Safe Pattern — Sanitize & controlled merge

defense-in-depth

Why it’s good: we strip dangerous keys (__proto__, prototype, constructor) and only merge into a known schema object to prevent unexpected props.

Paste the same payloads from the insecure demo.
Click Sanitize & Merge and verify no pollution occurs.

Waiting…

We also show a schema-bound merge where only expected keys are allowed.

// Strip dangerous keys (shallow + deep)
const BLOCK = new Set(['__proto__','prototype','constructor']);
function sanitize(obj){
  if (obj && typeof obj === 'object'){
    // If it's an array, sanitize items
    if (Array.isArray(obj)) return obj.map(sanitize);
    const out = {};
    for (const k of Object.keys(obj)){
      if (BLOCK.has(k)) continue;
      out[k] = sanitize(obj[k]);
    }
    return out;
  }
  return obj;
}

// Merge into a known schema (whitelist keys)
const schema = { profile:{ name:'', email:'', opts:{ theme:'' } } };
function schemaMerge(target, data){
  // copy only keys that exist in schema
  function copy(dst, src, sch){
    for(const k in sch){
      if (Object.prototype.hasOwnProperty.call(src,k)){
        if (sch[k] && typeof sch[k]==='object' && !Array.isArray(sch[k])){
          dst[k] = copy({}, src[k], sch[k]);
        } else {
          dst[k] = src[k];
        }
      }else{
        dst[k] = sch[k];
      }
    }
    return dst;
  }
  return copy(_.cloneDeep(target), data, schema);
}

Production tip: Validate with a real schema (e.g., JSON Schema / zod / Joi).