Status: New
Owner: [email protected]
Labels: Type-Defect Priority-High Component-Build
New issue 1956 by [email protected]: JS minifier (optimizer) transforms
comma expressions invalidly
https://code.google.com/p/google-caja/issues/detail?id=1956
The minifier incorrectly transforms
q = (1,y.z)();
to
q = y.z();
Additionally, I tried writing the obvious test case for this (in
JsOptimizerTest.java) and it hung in an infinite loop inside
ParseTreeKB.optimize:
+ public final void testCommaNotChanged() throws Exception {
+ assertOptimized(
+ js(fromString("q = (1,y.z)();")),
+ js(fromString("q = (1,y.z)();")));
+ }
This is not currently a vulnerability as we never use the (1,o.m)() form
statically in any critical location. However, it is a significant hazard
for future code changes (because we use this pattern in other ways and so
it looks like a fine thing to do).
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
