cure53
diff --git a/‎dist/purify.cjs.js
Lines changed: 11 additions & 4 deletions b/‎dist/purify.cjs.js
Lines changed: 11 additions & 4 deletions
diff --git a/‎dist/purify.cjs.js.map
Lines changed: 1 addition & 1 deletion b/‎dist/purify.cjs.js.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/purify.es.mjs
Lines changed: 11 additions & 4 deletions b/‎dist/purify.es.mjs
Lines changed: 11 additions & 4 deletions
diff --git a/‎dist/purify.es.mjs.map
Lines changed: 1 addition & 1 deletion b/‎dist/purify.es.mjs.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/purify.js
Lines changed: 11 additions & 4 deletions b/‎dist/purify.js
Lines changed: 11 additions & 4 deletions
diff --git a/‎dist/purify.js.map
Lines changed: 1 addition & 1 deletion b/‎dist/purify.js.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/purify.min.js
Lines changed: 1 addition & 1 deletion b/‎dist/purify.min.js
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/purify.min.js.map
Lines changed: 1 addition & 1 deletion b/‎dist/purify.min.js.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/purify.js
Lines changed: 17 additions & 4 deletions b/‎src/purify.js
Lines changed: 17 additions & 4 deletions
diff --git a/‎src/utils.js
Lines changed: 4 additions & 0 deletions b/‎src/utils.js
Lines changed: 4 additions & 0 deletions
@@ -48,6 +48,7 @@ const stringTrim = unapply(String.prototype.trim);
 const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
 const regExpTest = unapply(RegExp.prototype.test);
 const typeErrorCreate = unconstruct(TypeError);
+const numberIsNaN = unapply(Number.isNaN);
 
 /**
  * Creates a new function that calls the given function with a specified thisArg and arguments.
@@ -1307,8 +1308,11 @@ function createDOMPurify() {
         }
       }
 
-      /* Remove an element if nested too deeply to avoid mXSS */
-      if (shadowNode.__depth >= MAX_NESTING_DEPTH) {
+      /*
+       * Remove an element if nested too deeply to avoid mXSS
+       * or if the __depth might have been tampered with
+       */
+      if (shadowNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(shadowNode.__depth)) {
         _forceRemove(shadowNode);
       }
 
@@ -1445,8 +1449,11 @@ function createDOMPurify() {
         }
       }
 
-      /* Remove an element if nested too deeply to avoid mXSS */
-      if (currentNode.__depth >= MAX_NESTING_DEPTH) {
+      /*
+       * Remove an element if nested too deeply to avoid mXSS
+       * or if the __depth might have been tampered with
+       */
+      if (currentNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(currentNode.__depth)) {
         _forceRemove(currentNode);
       }
 
 
@@ -15,6 +15,7 @@ import {
   stringToString,
   stringIndexOf,
   stringTrim,
+  numberIsNaN,
   regExpTest,
   typeErrorCreate,
   lookupGetter,
@@ -1426,8 +1427,14 @@ function createDOMPurify(window = getGlobal()) {
         }
       }
 
-      /* Remove an element if nested too deeply to avoid mXSS */
-      if (shadowNode.__depth >= MAX_NESTING_DEPTH) {
+      /*
+       * Remove an element if nested too deeply to avoid mXSS
+       * or if the __depth might have been tampered with
+       */
+      if (
+        shadowNode.__depth >= MAX_NESTING_DEPTH ||
+        numberIsNaN(shadowNode.__depth)
+      ) {
         _forceRemove(shadowNode);
       }
 
@@ -1577,8 +1584,14 @@ function createDOMPurify(window = getGlobal()) {
         }
       }
 
-      /* Remove an element if nested too deeply to avoid mXSS */
-      if (currentNode.__depth >= MAX_NESTING_DEPTH) {
+      /*
+       * Remove an element if nested too deeply to avoid mXSS
+       * or if the __depth might have been tampered with
+       */
+      if (
+        currentNode.__depth >= MAX_NESTING_DEPTH ||
+        numberIsNaN(currentNode.__depth)
+      ) {
         _forceRemove(currentNode);
       }
 
 
@@ -52,6 +52,8 @@ const regExpTest = unapply(RegExp.prototype.test);
 
 const typeErrorCreate = unconstruct(TypeError);
 
+const numberIsNaN = unapply(Number.isNaN);
+
 /**
  * Creates a new function that calls the given function with a specified thisArg and arguments.
  *
@@ -215,6 +217,8 @@ export {
   stringToLowerCase,
   stringToString,
   stringTrim,
+  // Number
+  numberIsNaN,
   // Errors
   typeErrorCreate,
   // Other
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,7 @@ const stringTrim = unapply(String.prototype.trim);`
`48`	`48`	`const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);`
`49`	`49`	`const regExpTest = unapply(RegExp.prototype.test);`
`50`	`50`	`const typeErrorCreate = unconstruct(TypeError);`
	`51`	`+const numberIsNaN = unapply(Number.isNaN);`
`51`	`52`
`52`	`53`	`/**`
`53`	`54`	`* Creates a new function that calls the given function with a specified thisArg and arguments.`
`@@ -1307,8 +1308,11 @@ function createDOMPurify() {`
`1307`	`1308`	`}`
`1308`	`1309`	`}`
`1309`	`1310`
`1310`		`- /* Remove an element if nested too deeply to avoid mXSS */`
`1311`		`- if (shadowNode.__depth >= MAX_NESTING_DEPTH) {`
	`1311`	`+ /*`
	`1312`	`+ * Remove an element if nested too deeply to avoid mXSS`
	`1313`	`+ * or if the __depth might have been tampered with`
	`1314`	`+ */`
	`1315`	`+ if (shadowNode.__depth >= MAX_NESTING_DEPTH \|\| numberIsNaN(shadowNode.__depth)) {`
`1312`	`1316`	`_forceRemove(shadowNode);`
`1313`	`1317`	`}`
`1314`	`1318`
`@@ -1445,8 +1449,11 @@ function createDOMPurify() {`
`1445`	`1449`	`}`
`1446`	`1450`	`}`
`1447`	`1451`
`1448`		`- /* Remove an element if nested too deeply to avoid mXSS */`
`1449`		`- if (currentNode.__depth >= MAX_NESTING_DEPTH) {`
	`1452`	`+ /*`
	`1453`	`+ * Remove an element if nested too deeply to avoid mXSS`
	`1454`	`+ * or if the __depth might have been tampered with`
	`1455`	`+ */`
	`1456`	`+ if (currentNode.__depth >= MAX_NESTING_DEPTH \|\| numberIsNaN(currentNode.__depth)) {`
`1450`	`1457`	`_forceRemove(currentNode);`
`1451`	`1458`	`}`
`1452`	`1459`