Reviewers: MarkM, felix8a,
Description:
ES5/3 must prevent Function.prototype.bind from being invoked with
toxic functions by such builtins as [].sort(). The current Chrome
debugger invokes the Function.prototype.bind in the guest frame
with a toxic function when printing the result of an expression
at the console.
This change adds a method to ___ to allow toxic functions through
safeDis called setTotallyUnsafeNoSecurityAtAll() that takes a flag.
Please review this at http://codereview.appspot.com/6501074/
Affected files:
M src/com/google/caja/es53.js
M src/com/google/caja/plugin/bridal.js
M src/com/google/caja/plugin/domado.js
Index: src/com/google/caja/es53.js
===================================================================
--- src/com/google/caja/es53.js (revision 5031)
+++ src/com/google/caja/es53.js (working copy)
@@ -2558,6 +2558,14 @@
* 11 Expressions
*/
+ // Some versions of Chrome debugger depend on passing toxic functions to
+ // the current binding of Function.prototype.bind. This flag allows the
+ // program to continue by making it allow toxic functions.
+ var UTTERLY_UNSAFE = false;
+ function setUnsafe(value) {
+ UTTERLY_UNSAFE = !!value;
+ }
+
/**
* Throws an exception if the value is an unmarked function.
*/
@@ -2566,7 +2574,9 @@
if (value === Function.prototype) {
throw new Error('Cannot invoke Function.prototype.');
}
- throw new Error('Internal: toxic function encountered!\n' + value);
+ if (!UTTERLY_UNSAFE) {
+ throw new Error('Internal: toxic function encountered!\n' + value);
+ }
}
return value;
}
@@ -3307,7 +3317,8 @@
// 15.3.5.2
rawDelete(funcBound, 'prototype');
funcBound.new___ = function () {
- throw "Constructing the result of a bind() not yet implemented.";
+ throw new Error(
+ "Constructing the result of a bind() not yet implemented.");
};
return funcBound;
};
@@ -5543,7 +5554,8 @@
getter: getter,
setter: setter,
directConstructor: directConstructor,
- BASE_OBJECT_CONSTRUCTOR: BASE_OBJECT_CONSTRUCTOR
+ BASE_OBJECT_CONSTRUCTOR: BASE_OBJECT_CONSTRUCTOR,
+ setTotallyUnsafeNoSecurityAtAll: setUnsafe
};
var cajaVMKeys = ownEnumKeys(cajaVM);
for (var i = 0; i < cajaVMKeys.length; ++i) {
Index: src/com/google/caja/plugin/bridal.js
===================================================================
--- src/com/google/caja/plugin/bridal.js (revision 5031)
+++ src/com/google/caja/plugin/bridal.js (working copy)
@@ -17,6 +17,8 @@
* A set of utility functions that implement browser feature testing to
unify
* certain DOM behaviors, and a set of recommendations about when to use
these
* functions as opposed to the native DOM functions.
+ * The acronym was something like BRowser Independent Dom Application Layer
+ * but we've forgotten the exact details.
*
* @author [email protected]
* @author [email protected]
Index: src/com/google/caja/plugin/domado.js
===================================================================
--- src/com/google/caja/plugin/domado.js (revision 5031)
+++ src/com/google/caja/plugin/domado.js (working copy)
@@ -2702,8 +2702,7 @@
return np(this).feral.contains(otherNode);
});
}
- if ('function' ===
- typeof docEl.compareDocumentPosition) {
+ if ('function' === typeof docEl.compareDocumentPosition) {
/**
* Speced in <a
href="http://www.w3.org/TR/DOM-Level-3-Core/core.html#Node3-compareDocumentPosition";>DOM-Level-3</a>.
*/
