fix: Merged prototype pollution check into 2.x

src/purify.js

@@ -14,6 +14,7 @@ import {
   stringToString,
   stringIndexOf,
   stringTrim,
+  numberIsNaN,
   regExpTest,
   typeErrorCreate,
   lookupGetter,
@@ -1403,8 +1404,14 @@ function createDOMPurify(window = getGlobal()) {
         }
       }
 
-      /* Remove an element if nested too deeply to avoid mXSS */
-      if (shadowNode.__depth >= MAX_NESTING_DEPTH) {
+      /*
+       * Remove an element if nested too deeply to avoid mXSS
+       * or if the __depth might have been tampered with
+       */
+      if (
+        shadowNode.__depth >= MAX_NESTING_DEPTH ||
+        numberIsNaN(shadowNode.__depth)
+      ) {
         _forceRemove(shadowNode);
       }
 
@@ -1570,8 +1577,14 @@ function createDOMPurify(window = getGlobal()) {
         }
       }
 
-      /* Remove an element if nested too deeply to avoid mXSS */
-      if (currentNode.__depth >= MAX_NESTING_DEPTH) {
+      /*
+       * Remove an element if nested too deeply to avoid mXSS
+       * or if the __depth might have been tampered with
+       */
+      if (
+        currentNode.__depth >= MAX_NESTING_DEPTH ||
+        numberIsNaN(currentNode.__depth)
+      ) {
         _forceRemove(currentNode);
       }
 

src/utils.js

@@ -50,6 +50,8 @@ const regExpTest = unapply(RegExp.prototype.test);
 
 const typeErrorCreate = unconstruct(TypeError);
 
+const numberIsNaN = unapply(Number.isNaN);
+
 export function unapply(func) {
   return (thisArg, ...args) => apply(func, thisArg, args);
 }
@@ -155,6 +157,8 @@ export {
   stringToLowerCase,
   stringToString,
   stringTrim,
+  // Number
+  numberIsNaN,
   // Errors
   typeErrorCreate,
   // Other