[chromium-bugs] Issue 650 in chromium: Improper evaluation of regex is causing Chrome to bypass the form data validation

Fri, 24 Oct 2008 00:40:33 -0700 

Issue 650: Improper evaluation of regex is causing Chrome to bypass the  
form data validation
http://code.google.com/p/chromium/issues/detail?id=650

Comment #11 by [EMAIL PROTECTED]:
This is caused by Chrome exposing some of its inner details when retrieving  
the source code of an event handler. In
this case if setting onSubmit="return validate(this)" to then  
onsubmit.toString will return

   function onsubmit(evt) {
     with (this.ownerDocument ? this.ownerDocument : {}) {
       with (this.form ? this.form : {}) {
         with (this) {
           return (function(evt){return validate(this)}).call(this, evt);
         }
       }
     }
   }

whereas Safari will return the more sensible

   function onsubmit(event)
   {
     return validate(this);
   }

Returning the somewhat unexpected source code causes the rewrite of the  
source with the RegExp to fail with the
rewritten source being this

   _kwtlOnSubmit = function onsubmit(evt) {
     with (_kwtlForm.ownerDocument ? this.ownerDocument : {}) {
       with (this.form ? this.form : {}) {
         with (this) {
           return (function(evt){return validate(this)}).call(this, evt);
         }
       }
     }
   }

and not

   _kwtlOnSubmit = function onsubmit(event)
   {
     return validate(_kwtlForm)
   }

If the code on the page is changed from

   var expr = "_kwtlOnSubmit = " +  
form.onsubmit.toString().replace(/this\s*([\)\.])/, '_kwtlForm$1');

to

   function x() { return validate(this); }
   var expr = "_kwtlOnSubmit = " +  
x.toString().replace(/this\s*([\)\.])/, '_kwtlForm$1');

the validation will work.


Issue attribute updates:
        Owner: [EMAIL PROTECTED]

-- 
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Chromium-bugs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/chromium-bugs?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to