fix(core): use Object.create(null) to prevent possible proto pollution (#1416)

api/src/shell.ts

@@ -39,7 +39,10 @@ interface ChildProcess {
 }
 
 class EventEmitter<E> {
-  eventListeners: { [key: string]: Array<(arg: any) => void> } = {}
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+  eventListeners: { [key: string]: Array<(arg: any) => void> } = Object.create(
+    null
+  )
 
   private addEventListener(event: string, handler: (arg: any) => void): void {
     if (event in this.eventListeners) {

api/src/window.ts

@@ -31,7 +31,8 @@ class WebviewWindowHandle {
 
   constructor(label: string) {
     this.label = label
-    this.listeners = {}
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+    this.listeners = Object.create(null)
   }
 
   /**

tauri/src/endpoints/event.rs

@@ -87,7 +87,7 @@ pub fn listen_js<M: Params>(
 ) -> String {
   format!(
     "if (window['{listeners}'] === void 0) {{
-      window['{listeners}'] = {{}}
+      window['{listeners}'] = Object.create(null)
     }}
     if (window['{listeners}']['{event}'] === void 0) {{
       window['{listeners}']['{event}'] = []