The object access can be exploited to execute JS code #25
Description
The library is nice but is dangerous to load arbitrary expressions as they can execute arbitrary code like this:
const fn = subscript("Math.constructor.constructor('alert(1)')()");
fn({ Math })
suggestion: disable access to these keys: "proto", "constructor", "prototype" or use Object.hasOwn as a filter