- Revision
- 117928
- Author
- [email protected]
- Date
- 2012-05-22 00:50:51 -0700 (Tue, 22 May 2012)
Log Message
REGRESSION r110315: Event handler throws TypeError for an input element with name="arguments"
https://bugs.webkit.org/show_bug.cgi?id=86991
Reviewed by Ojan Vafai.
Source/WebCore:
Original Chromium bug: http://code.google.com/p/chromium/issues/detail?id=128723
Consider the following html:
<html><body><form>
<input type="hidden" name="arguments"></input>
<div _onclick_="onclicked()" id="divInsideForm">Click here</div>
</form></body>
<script>
function onclicked() {
alert("onclicked");
}
</script>
</html>
If we click "Click here", _javascript_ throws "Uncaught TypeError: undefined has no properties".
This is a regression caused by r110315. V8LazyEventListener should not use
'arguments' to retrieve the execution contexts, since 'arguments' can be
shadowed by _javascript_.
This patch changes V8LazyEventListener so that it retrieves contexts
by this[2], this[1] and this[0].
Test: fast/forms/form-input-named-arguments.html
* bindings/v8/V8LazyEventListener.cpp:
(WebCore::V8LazyEventListener::prepareListenerObject):
LayoutTests:
The added test checks whether an event handler is successfully invoked
for an input element with name="arguments".
* fast/forms/form-input-named-arguments-expected.txt: Added.
* fast/forms/form-input-named-arguments.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (117927 => 117928)
--- trunk/LayoutTests/ChangeLog 2012-05-22 07:47:26 UTC (rev 117927)
+++ trunk/LayoutTests/ChangeLog 2012-05-22 07:50:51 UTC (rev 117928)
@@ -1,3 +1,16 @@
+2012-05-22 Kentaro Hara <[email protected]>
+
+ REGRESSION r110315: Event handler throws TypeError for an input element with name="arguments"
+ https://bugs.webkit.org/show_bug.cgi?id=86991
+
+ Reviewed by Ojan Vafai.
+
+ The added test checks whether an event handler is successfully invoked
+ for an input element with name="arguments".
+
+ * fast/forms/form-input-named-arguments-expected.txt: Added.
+ * fast/forms/form-input-named-arguments.html: Added.
+
2012-05-22 Emil A Eklund <[email protected]>
Chromium linux and mac rebaselines.
Added: trunk/LayoutTests/fast/forms/form-input-named-arguments-expected.txt (0 => 117928)
--- trunk/LayoutTests/fast/forms/form-input-named-arguments-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/form-input-named-arguments-expected.txt 2012-05-22 07:50:51 UTC (rev 117928)
@@ -0,0 +1,5 @@
+PASS clicked is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/forms/form-input-named-arguments.html (0 => 117928)
--- trunk/LayoutTests/fast/forms/form-input-named-arguments.html (rev 0)
+++ trunk/LayoutTests/fast/forms/form-input-named-arguments.html 2012-05-22 07:50:51 UTC (rev 117928)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head></head>
+<body>
+<script src=""
+<form>
+<input type="hidden" name="arguments"></input>
+<div _onclick_="onclicked()" id="divInsideForm"></div>
+</form>
+</body>
+<script>
+var clicked = false;
+
+function onclicked() {
+ clicked = true;
+}
+
+var event = document.createEvent("MouseEvents");
+event.initMouseEvent("click", true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
+var div = document.getElementById("divInsideForm");
+div.dispatchEvent(event);
+
+shouldBeTrue('clicked');
+
+var successfullyParsed = true;
+</script>
+<script src=""
+</html>
Modified: trunk/LayoutTests/platform/chromium-win/inspector/debugger/debugger-scripts-expected.txt (117927 => 117928)
--- trunk/LayoutTests/platform/chromium-win/inspector/debugger/debugger-scripts-expected.txt 2012-05-22 07:47:26 UTC (rev 117927)
+++ trunk/LayoutTests/platform/chromium-win/inspector/debugger/debugger-scripts-expected.txt 2012-05-22 07:50:51 UTC (rev 117928)
@@ -18,6 +18,6 @@
end: 48:0
script 6:
start: 51:56
- end: 52:7
+ end: 52:31
Debugger was disabled.
Modified: trunk/Source/WebCore/ChangeLog (117927 => 117928)
--- trunk/Source/WebCore/ChangeLog 2012-05-22 07:47:26 UTC (rev 117927)
+++ trunk/Source/WebCore/ChangeLog 2012-05-22 07:50:51 UTC (rev 117928)
@@ -1,5 +1,41 @@
2012-05-22 Kentaro Hara <[email protected]>
+ REGRESSION r110315: Event handler throws TypeError for an input element with name="arguments"
+ https://bugs.webkit.org/show_bug.cgi?id=86991
+
+ Reviewed by Ojan Vafai.
+
+ Original Chromium bug: http://code.google.com/p/chromium/issues/detail?id=128723
+
+ Consider the following html:
+
+ <html><body><form>
+ <input type="hidden" name="arguments"></input>
+ <div _onclick_="onclicked()" id="divInsideForm">Click here</div>
+ </form></body>
+ <script>
+ function onclicked() {
+ alert("onclicked");
+ }
+ </script>
+ </html>
+
+ If we click "Click here", _javascript_ throws "Uncaught TypeError: undefined has no properties".
+
+ This is a regression caused by r110315. V8LazyEventListener should not use
+ 'arguments' to retrieve the execution contexts, since 'arguments' can be
+ shadowed by _javascript_.
+
+ This patch changes V8LazyEventListener so that it retrieves contexts
+ by this[2], this[1] and this[0].
+
+ Test: fast/forms/form-input-named-arguments.html
+
+ * bindings/v8/V8LazyEventListener.cpp:
+ (WebCore::V8LazyEventListener::prepareListenerObject):
+
+2012-05-22 Kentaro Hara <[email protected]>
+
[V8] setDOMException() should return v8::Handle<v8::Value>()
https://bugs.webkit.org/show_bug.cgi?id=87083
Modified: trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp (117927 => 117928)
--- trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp 2012-05-22 07:47:26 UTC (rev 117927)
+++ trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp 2012-05-22 07:50:51 UTC (rev 117928)
@@ -137,16 +137,21 @@
// FIXME: V8 does not allow us to programmatically create object environments so
// we have to do this hack! What if m_code escapes to run arbitrary script?
//
+ // Call with 4 arguments instead of 3, pass additional null as the last parameter.
+ // By calling the function with 4 arguments, we create a setter on arguments object
+ // which would shadow property "3" on the prototype.
String code = "(function() {" \
- "with (arguments[2]) {" \
- "with (arguments[1]) {" \
- "with (arguments[0]) {";
+ "arguments[3] = function() {" \
+ "with (this[2]) {" \
+ "with (this[1]) {" \
+ "with (this[0]) {";
code.append("return function(");
code.append(m_eventParameterName);
code.append(") {");
code.append(m_code);
// Insert '\n' otherwise //-style comments could break the handler.
- code.append("\n};}}}})");
+ code.append("\n};}}}};");
+ code.append("return arguments[3]();})");
v8::Handle<v8::String> codeExternalString = v8ExternalString(code);
v8::Handle<v8::Script> script = V8Proxy::compileScript(codeExternalString, m_sourceURL, m_position);
@@ -174,7 +179,7 @@
v8::Handle<v8::Object> formWrapper = toObjectWrapper<HTMLFormElement>(formElement);
v8::Handle<v8::Object> documentWrapper = toObjectWrapper<Document>(m_node ? m_node->ownerDocument() : 0);
- v8::Handle<v8::Value> parameters[3] = { nodeWrapper, formWrapper, documentWrapper };
+ v8::Handle<v8::Value> parameters[4] = { nodeWrapper, formWrapper, documentWrapper, v8::Handle<v8::Value>(v8::Null()) };
// FIXME: Remove this code when we stop doing the 'with' hack above.
v8::Local<v8::Value> innerValue;
