Changeset 117928 in webkit


Ignore:
Timestamp:
May 22, 2012 12:50:51 AM (12 years ago)
Author:
haraken@chromium.org
Message:

REGRESSION r110315: Event handler throws TypeError for an input element with name="arguments"
https://bugs.webkit.org/show_bug.cgi?id=86991

Reviewed by Ojan Vafai.

Source/WebCore:

Original Chromium bug: http://code.google.com/p/chromium/issues/detail?id=128723

Consider the following html:

<html><body><form>
<input type="hidden" name="arguments"></input>
<div onclick="onclicked()" id="divInsideForm">Click here</div>
</form></body>
<script>
function onclicked() {

alert("onclicked");

}
</script>
</html>

If we click "Click here", JavaScript throws "Uncaught TypeError: undefined has no properties".

This is a regression caused by r110315. V8LazyEventListener should not use
'arguments' to retrieve the execution contexts, since 'arguments' can be
shadowed by JavaScript.

This patch changes V8LazyEventListener so that it retrieves contexts
by this[2], this[1] and this[0].

Test: fast/forms/form-input-named-arguments.html

  • bindings/v8/V8LazyEventListener.cpp:

(WebCore::V8LazyEventListener::prepareListenerObject):

LayoutTests:

The added test checks whether an event handler is successfully invoked
for an input element with name="arguments".

  • fast/forms/form-input-named-arguments-expected.txt: Added.
  • fast/forms/form-input-named-arguments.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r117927 r117928  
     12012-05-22  Kentaro Hara  <haraken@chromium.org>
     2
     3        REGRESSION r110315: Event handler throws TypeError for an input element with name="arguments"
     4        https://bugs.webkit.org/show_bug.cgi?id=86991
     5
     6        Reviewed by Ojan Vafai.
     7
     8        The added test checks whether an event handler is successfully invoked
     9        for an input element with name="arguments".
     10
     11        * fast/forms/form-input-named-arguments-expected.txt: Added.
     12        * fast/forms/form-input-named-arguments.html: Added.
     13
    1142012-05-22  Emil A Eklund  <eae@chromium.org>
    215
  • trunk/LayoutTests/platform/chromium-win/inspector/debugger/debugger-scripts-expected.txt

    r110345 r117928  
    1919script 6:
    2020    start: 51:56
    21     end: 52:7
     21    end: 52:31
    2222Debugger was disabled.
    2323
  • trunk/Source/WebCore/ChangeLog

    r117926 r117928  
     12012-05-22  Kentaro Hara  <haraken@chromium.org>
     2
     3        REGRESSION r110315: Event handler throws TypeError for an input element with name="arguments"
     4        https://bugs.webkit.org/show_bug.cgi?id=86991
     5
     6        Reviewed by Ojan Vafai.
     7
     8        Original Chromium bug: http://code.google.com/p/chromium/issues/detail?id=128723
     9
     10        Consider the following html:
     11
     12        <html><body><form>
     13        <input type="hidden" name="arguments"></input>
     14        <div onclick="onclicked()" id="divInsideForm">Click here</div>
     15        </form></body>
     16        <script>
     17        function onclicked() {
     18          alert("onclicked");
     19        }
     20        </script>
     21        </html>
     22
     23        If we click "Click here", JavaScript throws "Uncaught TypeError: undefined has no properties".
     24
     25        This is a regression caused by r110315. V8LazyEventListener should not use
     26        'arguments' to retrieve the execution contexts, since 'arguments' can be
     27        shadowed by JavaScript.
     28
     29        This patch changes V8LazyEventListener so that it retrieves contexts
     30        by this[2], this[1] and this[0].
     31
     32        Test: fast/forms/form-input-named-arguments.html
     33
     34        * bindings/v8/V8LazyEventListener.cpp:
     35        (WebCore::V8LazyEventListener::prepareListenerObject):
     36
    1372012-05-22  Kentaro Hara  <haraken@chromium.org>
    238
  • trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp

    r115652 r117928  
    138138    //        we have to do this hack! What if m_code escapes to run arbitrary script?
    139139    //
     140    // Call with 4 arguments instead of 3, pass additional null as the last parameter.
     141    // By calling the function with 4 arguments, we create a setter on arguments object
     142    // which would shadow property "3" on the prototype.
    140143    String code = "(function() {" \
    141         "with (arguments[2]) {" \
    142         "with (arguments[1]) {" \
    143         "with (arguments[0]) {";
     144        "arguments[3] = function() {" \
     145        "with (this[2]) {" \
     146        "with (this[1]) {" \
     147        "with (this[0]) {";
    144148    code.append("return function(");
    145149    code.append(m_eventParameterName);
     
    147151    code.append(m_code);
    148152    // Insert '\n' otherwise //-style comments could break the handler.
    149     code.append("\n};}}}})");
     153    code.append("\n};}}}};");
     154    code.append("return arguments[3]();})");
    150155    v8::Handle<v8::String> codeExternalString = v8ExternalString(code);
    151156
     
    175180    v8::Handle<v8::Object> documentWrapper = toObjectWrapper<Document>(m_node ? m_node->ownerDocument() : 0);
    176181
    177     v8::Handle<v8::Value> parameters[3] = { nodeWrapper, formWrapper, documentWrapper };
     182    v8::Handle<v8::Value> parameters[4] = { nodeWrapper, formWrapper, documentWrapper, v8::Handle<v8::Value>(v8::Null()) };
    178183
    179184    // FIXME: Remove this code when we stop doing the 'with' hack above.
Note: See TracChangeset for help on using the changeset viewer.