Force strict equality on vnode constructor (#4986)

JoviDeCroock · web-flow · commit c1bcde3a1d72 · 2026-01-09T08:13:44.000+01:00
* Force strict equality on vnode constructor * Update test (#4989)
diff --git a/src/create-element.js b/src/create-element.js
@@ -84,4 +84,4 @@ export function Fragment(props) {
  * @returns {vnode is VNode}
  */
 export const isValidElement = vnode =>
-	vnode != NULL && vnode.constructor == UNDEFINED;
+	vnode != NULL && vnode.constructor === UNDEFINED;
diff --git a/src/diff/children.js b/src/diff/children.js
@@ -209,7 +209,7 @@ function constructNewChildrenArray(
 				NULL,
 				NULL
 			);
-		} else if (childVNode.constructor == UNDEFINED && childVNode._depth > 0) {
+		} else if (childVNode.constructor === UNDEFINED && childVNode._depth > 0) {
 			// VNode is already in use, clone it. This can happen in the following
 			// scenario:
 			//   const reuse = <div />
diff --git a/src/diff/index.js b/src/diff/index.js
@@ -73,7 +73,7 @@ export function diff(
 
 	// When passing through createElement it assigns the object
 	// constructor as undefined. This to prevent JSON-injection.
-	if (newVNode.constructor != UNDEFINED) return NULL;
+	if (newVNode.constructor !== UNDEFINED) return NULL;
 
 	// If the previous diff bailed out, resume creating/hydrating.
 	if (
diff --git a/test/browser/render.test.jsx b/test/browser/render.test.jsx
@@ -101,7 +101,9 @@ describe('render()', () => {
 	});
 
 	it('should not render when detecting JSON-injection', () => {
-		const vnode = JSON.parse('{"type":"span","children":"Malicious"}');
+		const vnode = JSON.parse(
+			'{"type":"span","props":{ "children": "Malicious"}, "__v": 1, "constructor": null}'
+		);
 		render(vnode, scratch);
 		expect(scratch.firstChild).to.be.null;
 	});
