diff --git a/src/core/core.js b/src/core/core.js
index e0579a45c97..21e04ec54f2 100644
--- a/src/core/core.js
+++ b/src/core/core.js
@@ -9,21 +9,23 @@ const version = '$_CURRENT_SDK_VERSION';
  */
 const revision = '$_CURRENT_SDK_REVISION';
 
+import { Debug } from './debug.js';
+
 /**
  * Merge the contents of two objects into a single object.
  *
  * @param {object} target - The target object of the merge.
- * @param {object} ex - The object that is merged with target.
+ * @param {object} ex - The object to be merged into the target.
  * @returns {object} The target object.
  * @example
- * const A = {
+ * var A = {
  *     a: function () {
- *         console.log(this.a);
+ *         console.log('a');
  *     }
  * };
- * const B = {
+ * var B = {
  *     b: function () {
- *         console.log(this.b);
+ *         console.log('b');
  *     }
  * };
  *
@@ -36,12 +38,28 @@ const revision = '$_CURRENT_SDK_REVISION';
  */
 function extend(target, ex) {
     for (const prop in ex) {
+        if (!Object.prototype.hasOwnProperty.call(ex, prop)) {
+            continue;
+        }
+
+        const isForbidden = prop === '__proto__' || prop === 'constructor' || prop === 'prototype';
+        if (isForbidden) {
+            Debug.warnOnce(`Ignoring forbidden property: ${prop}`);
+            continue;
+        }
+
         const copy = ex[prop];
 
         if (Array.isArray(copy)) {
-            target[prop] = extend([], copy);
+            if (!Array.isArray(target[prop])) {
+                target[prop] = [];
+            }
+            extend(target[prop], copy);
         } else if (copy && typeof copy === 'object') {
-            target[prop] = extend({}, copy);
+            if (!target[prop] || typeof target[prop] !== 'object') {
+                target[prop] = {};
+            }
+            extend(target[prop], copy);
         } else {
             target[prop] = copy;
         }
@@ -50,4 +68,5 @@ function extend(target, ex) {
     return target;
 }
 
+
 export { extend, revision, version };
diff --git a/src/framework/components/element/markup.js b/src/framework/components/element/markup.js
index 1fe9eb77338..6f91c002335 100644
--- a/src/framework/components/element/markup.js
+++ b/src/framework/components/element/markup.js
@@ -1,3 +1,5 @@
+import { Debug } from '../../../core/debug.js';
+
 // markup scanner
 
 // list of scanner tokens
@@ -334,12 +336,19 @@ class Parser {
 // of assign)
 function merge(target, source) {
     for (const key in source) {
-        if (!source.hasOwnProperty(key)) {
+        if (!Object.prototype.hasOwnProperty.call(source, key)) {
             continue;
         }
+
+        const isForbidden = key === '__proto__' || key === 'constructor' || key === 'prototype';
+        Debug.assert(!isForbidden, `Ignoring forbidden property: ${key}`);
+        if (isForbidden) {
+            continue;
+        }
+
         const value = source[key];
         if (value instanceof Object) {
-            if (!target.hasOwnProperty(key)) {
+            if (!Object.prototype.hasOwnProperty.call(target, key)) {
                 target[key] = { };
             }
             merge(target[key], source[key]);
@@ -380,7 +389,7 @@ function resolveMarkupTags(tags, numSymbols) {
     const edges = { };
     for (let index = 0; index < tags.length; ++index) {
         const tag = tags[index];
-        if (!edges.hasOwnProperty(tag.start)) {
+        if (!Object.prototype.hasOwnProperty.call(edges, tag.start)) {
             edges[tag.start] = { open: [tag], close: null };
         } else {
             if (edges[tag.start].open === null) {
@@ -390,7 +399,7 @@ function resolveMarkupTags(tags, numSymbols) {
             }
         }
 
-        if (!edges.hasOwnProperty(tag.end)) {
+        if (!Object.prototype.hasOwnProperty.call(edges, tag.end)) {
             edges[tag.end] = { open: null, close: [tag] };
         } else {
             if (edges[tag.end].close === null) {