Merge 4321c21a53 into 06b004ec5c

packages/zone.js/lib/zone-impl.ts

@@ -762,10 +762,20 @@ export type AmbientZone = Zone;
 
 const global = globalThis as any;
 
-// __Zone_symbol_prefix global can be used to override the default zone
-// symbol prefix with a custom one if needed.
+// __Zone_symbol_prefix global can be used to override the default zone symbol
+// prefix with a custom one if needed. The value must be a non-empty string
+// containing only alphanumeric characters and underscores. Any other value
+// (including DOM-clobbered objects, empty strings, or strings with special
+// characters) is silently ignored and the default prefix is used instead.
+// This guards against DOM clobbering attacks where an attacker sets
+// __Zone_symbol_prefix to an HTMLElement via e.g. <input name="__Zone_symbol_prefix">,
+// which would otherwise corrupt all internal zone symbol key lookups.
 export function __symbol__(name: string) {
-  const symbolPrefix = global['__Zone_symbol_prefix'] || '__zone_symbol__';
+  const rawPrefix = global['__Zone_symbol_prefix'];
+  const symbolPrefix =
+    typeof rawPrefix === 'string' && /^[a-zA-Z0-9_]+$/.test(rawPrefix)
+      ? rawPrefix
+      : '__zone_symbol__';
   return symbolPrefix + name;
 }