Fix prototype pollution in removeAttributeNS

Author: jameswassink

dom-element.js

@@ -128,6 +128,10 @@ DOMElement.prototype.getAttributeNS =
 
 DOMElement.prototype.removeAttributeNS =
     function _Element_removeAttributeNS(namespace, name) {
+        var forbiddenKeys = ['__proto__', 'constructor', 'prototype'];
+        if (forbiddenKeys.includes(name)) {
+            return; // Ignore dangerous keys
+        }
         var attributes = this._attributes[namespace];
         if (attributes) {
             delete attributes[name]