[Caja] valija apply() sometimes fails on non-firefox browsers

Mon, 20 Jul 2009 02:07:06 -0700 


Reviewers: metaweta,

Description:
http://code.google.com/p/google-caja/issues/detail?id=1077

in valija, calling fn.apply({}) eventually calls
Array.slice(undefined, 0).  in firefox, Array.slice
is a builtin and returns [].  on other browsers,
Array.slice is defined in cajita.js, which tries to
evaluate undefined.length, which throws an exception.

this change makes cajita's Array.slice behave more
like firefox's.

Please review this at http://codereview.appspot.com/97041

Affected files:
  M     src/com/google/caja/cajita.js
  M     tests/com/google/caja/plugin/domita_test_untrusted.html


Index: tests/com/google/caja/plugin/domita_test_untrusted.html
===================================================================
--- tests/com/google/caja/plugin/domita_test_untrusted.html     (revision 3580)
+++ tests/com/google/caja/plugin/domita_test_untrusted.html     (working copy)
@@ -195,6 +195,8 @@

 <p class="testcontainer" id="test-bug-920"><input id="bug-920" /></p>

+<p class="testcontainer" id="test-browser-apply">test-browser-apply</p>
+
 <br>

 <form class="testcontainer" id="test-input-default-values">
@@ -1433,6 +1435,16 @@
   pass('test-bug-920');
 });

+// http://code.google.com/p/google-caja/issues/detail?id=1077
+jsunitRegister('testBrowserApply',
+               function testBrowserApply() {
+  var canary = 'alive';
+  var kill = function() { canary = 'dead'; };
+  kill.apply({});
+  assertEquals('dead', canary);
+  pass('test-browser-apply');
+});
+
 jsunitRegister('testInputDefaultValue',
                function testInputDefaultValue() {
   var form = document.getElementById('test-input-default-values');
Index: src/com/google/caja/cajita.js
===================================================================
--- src/com/google/caja/cajita.js       (revision 3580)
+++ src/com/google/caja/cajita.js       (working copy)
@@ -95,7 +95,11 @@
 /** In anticipation of ES4, and because it's useful. */
 if (Array.slice === void 0) {
   Array.slice = function (self, start, end) {
- return Array.prototype.slice.call(self, start || 0, end || self.length); 
+    if (typeof self === 'object') {
+ return Array.prototype.slice.call(self, start || 0, end || self.length); 
+    } else {
+      return [];
+    }
   };
 }

Reply via email to