Adds `constructor`
`constructor` is the only lowercase identifier that is `in` all JavaScript objects, and can be involved in obscure XSS so can be used to abuse code that uses JavaScript objects as lookup tables.
```js
var empty = {};
if ('constuctor' in empty && empty['constructor']) {
// runs
}
empty['constructor']['constructor']('alert(1)')(); // Parses and runs
```