Source/WebCore/bindings/v8/V8LazyEventListener.cpp - Issue 10532125: Merge 117928 - REGRESSION r110315: Event handler throws TypeError for an input element with name="a…

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: Source/WebCore/bindings/v8/V8LazyEventListener.cpp

Issue 10532125: Merge 117928 - REGRESSION r110315: Event handler throws TypeError for an input element with name="a… (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/1132/

Patch Set: Created 8 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: Source/WebCore/bindings/v8/V8LazyEventListener.cpp

===================================================================

--- Source/WebCore/bindings/v8/V8LazyEventListener.cpp (revision 120196)

+++ Source/WebCore/bindings/v8/V8LazyEventListener.cpp (working copy)

@@ -137,16 +137,21 @@

// FIXME: V8 does not allow us to programmatically create object environments so

// we have to do this hack! What if m_code escapes to run arbitrary script?

+ // Call with 4 arguments instead of 3, pass additional null as the last parameter.

+ // By calling the function with 4 arguments, we create a setter on arguments object

+ // which would shadow property "3" on the prototype.

String code = "(function() {" \

- "with (arguments[2]) {" \

- "with (arguments[1]) {" \

- "with (arguments[0]) {";

+ "arguments[3] = function() {" \

+ "with (this[2]) {" \

+ "with (this[1]) {" \

+ "with (this[0]) {";

code.append("return function(");

code.append(m_eventParameterName);

code.append(") {");

code.append(m_code);

// Insert '\n' otherwise //-style comments could break the handler.

- code.append("\n};}}}})");

+ code.append("\n};}}}};");

+ code.append("return arguments[3]();})");

v8::Handle<v8::String> codeExternalString = v8ExternalString(code);

v8::Handle<v8::Script> script = V8Proxy::compileScript(codeExternalString, m_sourceURL, m_position);

@@ -174,7 +179,7 @@

v8::Handle<v8::Object> formWrapper = toObjectWrapper<HTMLFormElement>(formElement);

v8::Handle<v8::Object> documentWrapper = toObjectWrapper<Document>(m_node ? m_node->ownerDocument() : 0);

- v8::Handle<v8::Value> parameters[3] = { nodeWrapper, formWrapper, documentWrapper };

+ v8::Handle<v8::Value> parameters[4] = { nodeWrapper, formWrapper, documentWrapper, v8::Handle<v8::Value>(v8::Null()) };

// FIXME: Remove this code when we stop doing the 'with' hack above.

v8::Local<v8::Value> innerValue;

« no previous file with comments | « LayoutTests/platform/chromium-win/inspector/debugger/debugger-scripts-expected.txt ('k') | no next file » | no next file with comments »