[Caja] ES5/3 compatibility fixes for native accessor properties and Error inheritance. (issue 247900043 by [email protected])

Tue, 09 Jun 2015 14:18:54 -0700 

Reviewers: MarkM, metaweta,

Description:
* For Chrome 44 <https://github.com/google/caja/issues/1967>, avoid
  doing "O[P] = O[P]" in the case where it would be a noop by ES3
  rules, which seems to be sufficient for the issue.
* Found while testing: markFunc did nothing if the function was
  already marked. Since the Error subclass constructors now inherit
  from the Error constructor per ES6 (and in Chrome), this would cause
  the subclasses to not get new___ configured, so 'new EvalError(...)'
  would act as 'new Error(...)'. markFunc now looks for an own property.

Please review this at https://codereview.appspot.com/247900043/

Affected files (+12, -4 lines):
  M src/com/google/caja/es53.js


Index: src/com/google/caja/es53.js
diff --git a/src/com/google/caja/es53.js b/src/com/google/caja/es53.js
index 5765d0885a723bd11e8f849a117ab4fd92229b8a..1f5e009e7814b15e4c8bb3de03595220d4d6a8b7 100644 
--- a/src/com/google/caja/es53.js
+++ b/src/com/google/caja/es53.js
@@ -718,7 +718,7 @@ var ___, cajaVM, safeJSON, WeakMap, ArrayLike, Proxy;
    * whitelisted properties of {@code this}).
    */
   function markFunc(fn, name) {
-    if (fn.ok___) { return fn; }
+    if (fn.ok___ && fn.hasOwnProperty('ok___')) { return fn; }
     if (!isFunction(fn)) {
       notFunction(fn);
     }
@@ -2464,7 +2464,12 @@ var ___, cajaVM, safeJSON, WeakMap, ArrayLike, Proxy;
           //    Desc. If the value of an attribute field of Desc is
           //    absent, the attribute of the newly created property is
           //    set to its default value.
-          O[P] = Desc.configurable ? void 0 : O[P];
+
+          if (Desc.configurable) {
+            O[P] = void 0;
+          } else if (!O.hasOwnProperty(P)) {
+            O[P] = O[P];
+          }
           O[P + '_v___'] = false;
           O[P + '_w___'] =  O[P + '_gw___'] = false;
           O[P + '_e___'] = Desc.enumerable ? O : false;
@@ -2624,8 +2629,11 @@ var ___, cajaVM, safeJSON, WeakMap, ArrayLike, Proxy;
         O[P + '_gw___'] = Desc.writable ? O : false;
       } else {
         // Create the property if it's not there so that JSON.stringify
-        // can see the property.
-        O[P] = O[P];
+ // can see the property. But don't do this unless necessary in case of 
+        // native ES5 accessors.
+        if (!O.hasOwnProperty(P)) {
+          O[P] = O[P];
+        }
         O[P + '_v___'] = false;
         O[P + '_gw___'] = false;
         O[P + '_g___'] = Desc.get;


--
--- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to