Changeset 117928 in webkit
- Timestamp:
- May 22, 2012 12:50:51 AM (12 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r117927 r117928 1 2012-05-22 Kentaro Hara <haraken@chromium.org> 2 3 REGRESSION r110315: Event handler throws TypeError for an input element with name="arguments" 4 https://bugs.webkit.org/show_bug.cgi?id=86991 5 6 Reviewed by Ojan Vafai. 7 8 The added test checks whether an event handler is successfully invoked 9 for an input element with name="arguments". 10 11 * fast/forms/form-input-named-arguments-expected.txt: Added. 12 * fast/forms/form-input-named-arguments.html: Added. 13 1 14 2012-05-22 Emil A Eklund <eae@chromium.org> 2 15 -
trunk/LayoutTests/platform/chromium-win/inspector/debugger/debugger-scripts-expected.txt
r110345 r117928 19 19 script 6: 20 20 start: 51:56 21 end: 52: 721 end: 52:31 22 22 Debugger was disabled. 23 23 -
trunk/Source/WebCore/ChangeLog
r117926 r117928 1 2012-05-22 Kentaro Hara <haraken@chromium.org> 2 3 REGRESSION r110315: Event handler throws TypeError for an input element with name="arguments" 4 https://bugs.webkit.org/show_bug.cgi?id=86991 5 6 Reviewed by Ojan Vafai. 7 8 Original Chromium bug: http://code.google.com/p/chromium/issues/detail?id=128723 9 10 Consider the following html: 11 12 <html><body><form> 13 <input type="hidden" name="arguments"></input> 14 <div onclick="onclicked()" id="divInsideForm">Click here</div> 15 </form></body> 16 <script> 17 function onclicked() { 18 alert("onclicked"); 19 } 20 </script> 21 </html> 22 23 If we click "Click here", JavaScript throws "Uncaught TypeError: undefined has no properties". 24 25 This is a regression caused by r110315. V8LazyEventListener should not use 26 'arguments' to retrieve the execution contexts, since 'arguments' can be 27 shadowed by JavaScript. 28 29 This patch changes V8LazyEventListener so that it retrieves contexts 30 by this[2], this[1] and this[0]. 31 32 Test: fast/forms/form-input-named-arguments.html 33 34 * bindings/v8/V8LazyEventListener.cpp: 35 (WebCore::V8LazyEventListener::prepareListenerObject): 36 1 37 2012-05-22 Kentaro Hara <haraken@chromium.org> 2 38 -
trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp
r115652 r117928 138 138 // we have to do this hack! What if m_code escapes to run arbitrary script? 139 139 // 140 // Call with 4 arguments instead of 3, pass additional null as the last parameter. 141 // By calling the function with 4 arguments, we create a setter on arguments object 142 // which would shadow property "3" on the prototype. 140 143 String code = "(function() {" \ 141 "with (arguments[2]) {" \ 142 "with (arguments[1]) {" \ 143 "with (arguments[0]) {"; 144 "arguments[3] = function() {" \ 145 "with (this[2]) {" \ 146 "with (this[1]) {" \ 147 "with (this[0]) {"; 144 148 code.append("return function("); 145 149 code.append(m_eventParameterName); … … 147 151 code.append(m_code); 148 152 // Insert '\n' otherwise //-style comments could break the handler. 149 code.append("\n};}}}})"); 153 code.append("\n};}}}};"); 154 code.append("return arguments[3]();})"); 150 155 v8::Handle<v8::String> codeExternalString = v8ExternalString(code); 151 156 … … 175 180 v8::Handle<v8::Object> documentWrapper = toObjectWrapper<Document>(m_node ? m_node->ownerDocument() : 0); 176 181 177 v8::Handle<v8::Value> parameters[ 3] = { nodeWrapper, formWrapper, documentWrapper};182 v8::Handle<v8::Value> parameters[4] = { nodeWrapper, formWrapper, documentWrapper, v8::Handle<v8::Value>(v8::Null()) }; 178 183 179 184 // FIXME: Remove this code when we stop doing the 'with' hack above.
Note: See TracChangeset
for help on using the changeset viewer.