fix(angular.merge): do not merge __proto__ property

By blocking `__proto__` on deep merging, this commit
prevents the `Object` prototype from being polluted.

Author: petebacondarwin

src/Angular.js

@@ -350,8 +350,10 @@ function baseExtend(dst, objs, deep) {
         } else if (isElement(src)) {
           dst[key] = src.clone();
         } else {
-          if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
-          baseExtend(dst[key], [src], true);
+          if (key !== '__proto__') {
+            if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
+            baseExtend(dst[key], [src], true);
+          }
         }
       } else {
         dst[key] = src;

test/AngularSpec.js

@@ -784,6 +784,19 @@ describe('angular', function() {
       expect(isElement(dst.jqObject)).toBeTruthy();
       expect(dst.jqObject.nodeName).toBeUndefined(); // i.e it is a jqLite/jQuery object
     });
+
+    it('should not merge the __proto__ property', function() {
+      var src = JSON.parse('{ "__proto__": { "xxx": "polluted" } }');
+      var dst = {};
+
+      merge(dst, src);
+
+      if (typeof dst.__proto__ !== 'undefined') { // eslint-disable-line
+        // Should not overwrite the __proto__ property or pollute the Object prototype
+        expect(dst.__proto__).toBe(Object.prototype); // eslint-disable-line
+      }
+      expect(({}).xxx).toBeUndefined();
+    });
   });