Prototype properties and comments potential issues #12
Description
Breaking out two issues from Koto (second comment in issue #5) to track separately:
var in Object will let through prototype properties:
<constructor desc="element name bypass, harmless" constructor="same here">
<b style="constructor: url(//do-stuff.harmless-now)">a</b>
HTML comments should not be let through, otherwise mXSS via e.g. document.createComment('--><script>alert(1)</script>')