Description: use Object.create(null) to create all parsed objects
 (prevent prototype replacement)
Author: James Crosby <james@coggle.it>
Origin: upstream, commit:581b19a6
Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
Bug-Debian: https://bugs.debian.org/1034148
Forwarded: not-needed
Applied-Upstream: 0.5.0, commit:581b19a6
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2023-04-21

--- a/src/xml2js.coffee
+++ b/src/xml2js.coffee
@@ -105,12 +105,12 @@
     charkey = @options.charkey
 
     @saxParser.onopentag = (node) =>
-      obj = {}
+      obj = Object.create(null)
       obj[charkey] = ""
       unless @options.ignoreAttrs
         for own key of node.attributes
           if attrkey not of obj and not @options.mergeAttrs
-            obj[attrkey] = {}
+            obj[attrkey] = Object.create(null)
           if @options.mergeAttrs
             obj[key] = node.attributes[key]
           else
@@ -158,7 +158,7 @@
 
       # put children into <childkey> property and unfold chars if necessary
       if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object'
-        node = {}
+        node = Object.create(null)
         # separate attributes
         if @options.attrkey of obj
           node[@options.attrkey] = obj[@options.attrkey]
@@ -193,7 +193,7 @@
         if @options.explicitRoot
           # avoid circular references
           old = obj
-          obj = {}
+          obj = Object.create(null)
           obj[nodeName] = old
 
         @resultObject = obj