Reviewers: MikeSamuel,
Description: this fixes http://code.google.com/p/google-caja/issues/detail?id=1077 fn.apply() has trouble on IE[678] because IE's native apply doesn't conform to standards. ES5 says that these should all be equivalent: fn.apply(x) fn.apply(x, []) fn.apply(x, null) fn.apply(x, void 0) but IE throws a type error for the last two. there was a previous patch that fixed this problem in most cases, but it didn't fix the case of valija-mode Object.prototype.toString.apply(x) which is a common technique to get the native type of x. I think this patch now fixes fn.apply() behavior in almost all cases. there are still two deviations from ES5 behavior, mentioned in domita_test_untrusted.html 1. if fn.apply is the native apply, not a caja wrapper, then fn.apply(x, null) will throw a type error on IE. to fix that, fn.apply would have to always be a wrapper on IE. I don't think it's worth fixing that, because it's easy for programs to avoid the problem. and since this is an existing browser incompatibility, it's unlikely that programs rely on that specific behavior. 2. fn.apply(x, 9) is supposed to throw a type error, but when fn.apply is a caja wrapper, it's sometimes equivalent to fn.apply(x, undefined). to fix that, the fn.apply wrappers that use Array.slice would have to do a complex typecheck: throw an error unless args is null or undefined or an array or an array-like object like "arguments". I don't think that's worth it, since I can't think of a plausible reason that code would rely on getting a type error here. Please review this at http://codereview.appspot.com/135054 Affected files: M src/com/google/caja/cajita.js M tests/com/google/caja/plugin/domita_test_untrusted.html
