From d486007a688bf10fa5a2ae72eed1e29b4b01a76a Mon Sep 17 00:00:00 2001
From: markwhitfeld <mark.whitfeld@gmail.com>
Date: Wed, 26 Apr 2023 18:26:08 +0200
Subject: [PATCH] fix: explicitly ignore vulnerable properties

---
 src/parser.coffee | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/parser.coffee b/src/parser.coffee
index eb19c5b0..2aeb4ab6 100644
--- a/src/parser.coffee
+++ b/src/parser.coffee
@@ -52,6 +52,8 @@ class exports.Parser extends events
         @emit err
 
   assignOrPush: (obj, key, newValue) =>
+    return if key == '__proto__'
+    return if key == 'constructor'
     if key not of obj
       if not @options.explicitArray
         obj[key] = newValue
@@ -113,7 +115,7 @@ class exports.Parser extends events
           if @options.mergeAttrs
             @assignOrPush obj, processedKey, newValue
           else
-            obj[attrkey][processedKey] = newValue
+            @assignOrPush obj[attrkey], processedKey, newValue
 
       # need a place to store the node name
       obj["#name"] = if @options.tagNameProcessors then processItem(@options.tagNameProcessors, node.name) else node.name