From d2770b2bd0788d4c678e8d4425da4b969c2a9fdf Mon Sep 17 00:00:00 2001
From: Alex Brasetvik <alex@brasetvik.com>
Date: Thu, 17 Oct 2019 15:50:26 +0200
Subject: [PATCH] fixup! Sanitize sourceURL so it cannot affect evaled code

---
 lodash.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lodash.js b/lodash.js
index 747f05c41d5..5ee7682dc00 100644
--- a/lodash.js
+++ b/lodash.js
@@ -14822,7 +14822,7 @@
       // to normalize all kinds of whitespace, so e.g. newlines (and unicode versions of it) can't sneak in
       // and escape the comment, thus injecting code that gets evaled.
       var sourceURL = '//# sourceURL=' + (
-        options.sourceURL
+        hasOwnProperty.call(options, 'sourceURL')
           ? (options.sourceURL + '').replace(/\s/g, ' ')
           : ('lodash.templateSources[' + (++templateCounter) + ']')
         ) + '\n';
@@ -14856,7 +14856,7 @@
 
       // If `variable` is not specified wrap a with-statement around the generated
       // code to add the data object to the top of the scope chain.
-      var variable = options.variable;
+      var variable = hasOwnProperty.call(options, 'variable') && options.variable;
       if (!variable) {
         source = 'with (obj) {\n' + source + '\n}\n';
       }