Title: [120197] branches/chromium/1132
- Revision
- 120197
- Author
- [email protected]
- Date
- 2012-06-13 06:46:39 -0700 (Wed, 13 Jun 2012)
Log Message
Merge 117928 - REGRESSION r110315: Event handler throws TypeError for an input element with name="arguments"
https://bugs.webkit.org/show_bug.cgi?id=86991
Reviewed by Ojan Vafai.
Source/WebCore:
Original Chromium bug: http://code.google.com/p/chromium/issues/detail?id=128723
Consider the following html:
<html><body><form>
<input type="hidden" name="arguments"></input>
<div _onclick_="onclicked()" id="divInsideForm">Click here</div>
</form></body>
<script>
function onclicked() {
alert("onclicked");
}
</script>
</html>
If we click "Click here", _javascript_ throws "Uncaught TypeError: undefined has no properties".
This is a regression caused by r110315. V8LazyEventListener should not use
'arguments' to retrieve the execution contexts, since 'arguments' can be
shadowed by _javascript_.
This patch changes V8LazyEventListener so that it retrieves contexts
by this[2], this[1] and this[0].
Test: fast/forms/form-input-named-arguments.html
* bindings/v8/V8LazyEventListener.cpp:
(WebCore::V8LazyEventListener::prepareListenerObject):
LayoutTests:
The added test checks whether an event handler is successfully invoked
for an input element with name="arguments".
* fast/forms/form-input-named-arguments-expected.txt: Added.
* fast/forms/form-input-named-arguments.html: Added.
[email protected]
Review URL: https://chromiumcodereview.appspot.com/10532125
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1132/LayoutTests/fast/forms/form-input-named-arguments-expected.txt (from rev 117928, trunk/LayoutTests/fast/forms/form-input-named-arguments-expected.txt) (0 => 120197)
--- branches/chromium/1132/LayoutTests/fast/forms/form-input-named-arguments-expected.txt (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/forms/form-input-named-arguments-expected.txt 2012-06-13 13:46:39 UTC (rev 120197)
@@ -0,0 +1,5 @@
+PASS clicked is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/chromium/1132/LayoutTests/fast/forms/form-input-named-arguments.html (from rev 117928, trunk/LayoutTests/fast/forms/form-input-named-arguments.html) (0 => 120197)
--- branches/chromium/1132/LayoutTests/fast/forms/form-input-named-arguments.html (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/forms/form-input-named-arguments.html 2012-06-13 13:46:39 UTC (rev 120197)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head></head>
+<body>
+<script src=""
+<form>
+<input type="hidden" name="arguments"></input>
+<div _onclick_="onclicked()" id="divInsideForm"></div>
+</form>
+</body>
+<script>
+var clicked = false;
+
+function onclicked() {
+ clicked = true;
+}
+
+var event = document.createEvent("MouseEvents");
+event.initMouseEvent("click", true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
+var div = document.getElementById("divInsideForm");
+div.dispatchEvent(event);
+
+shouldBeTrue('clicked');
+
+var successfullyParsed = true;
+</script>
+<script src=""
+</html>
Modified: branches/chromium/1132/LayoutTests/platform/chromium-win/inspector/debugger/debugger-scripts-expected.txt (120196 => 120197)
--- branches/chromium/1132/LayoutTests/platform/chromium-win/inspector/debugger/debugger-scripts-expected.txt 2012-06-13 13:37:54 UTC (rev 120196)
+++ branches/chromium/1132/LayoutTests/platform/chromium-win/inspector/debugger/debugger-scripts-expected.txt 2012-06-13 13:46:39 UTC (rev 120197)
@@ -18,6 +18,6 @@
end: 48:0
script 6:
start: 51:56
- end: 52:7
+ end: 52:31
Debugger was disabled.
Modified: branches/chromium/1132/Source/WebCore/bindings/v8/V8LazyEventListener.cpp (120196 => 120197)
--- branches/chromium/1132/Source/WebCore/bindings/v8/V8LazyEventListener.cpp 2012-06-13 13:37:54 UTC (rev 120196)
+++ branches/chromium/1132/Source/WebCore/bindings/v8/V8LazyEventListener.cpp 2012-06-13 13:46:39 UTC (rev 120197)
@@ -137,16 +137,21 @@
// FIXME: V8 does not allow us to programmatically create object environments so
// we have to do this hack! What if m_code escapes to run arbitrary script?
//
+ // Call with 4 arguments instead of 3, pass additional null as the last parameter.
+ // By calling the function with 4 arguments, we create a setter on arguments object
+ // which would shadow property "3" on the prototype.
String code = "(function() {" \
- "with (arguments[2]) {" \
- "with (arguments[1]) {" \
- "with (arguments[0]) {";
+ "arguments[3] = function() {" \
+ "with (this[2]) {" \
+ "with (this[1]) {" \
+ "with (this[0]) {";
code.append("return function(");
code.append(m_eventParameterName);
code.append(") {");
code.append(m_code);
// Insert '\n' otherwise //-style comments could break the handler.
- code.append("\n};}}}})");
+ code.append("\n};}}}};");
+ code.append("return arguments[3]();})");
v8::Handle<v8::String> codeExternalString = v8ExternalString(code);
v8::Handle<v8::Script> script = V8Proxy::compileScript(codeExternalString, m_sourceURL, m_position);
@@ -174,7 +179,7 @@
v8::Handle<v8::Object> formWrapper = toObjectWrapper<HTMLFormElement>(formElement);
v8::Handle<v8::Object> documentWrapper = toObjectWrapper<Document>(m_node ? m_node->ownerDocument() : 0);
- v8::Handle<v8::Value> parameters[3] = { nodeWrapper, formWrapper, documentWrapper };
+ v8::Handle<v8::Value> parameters[4] = { nodeWrapper, formWrapper, documentWrapper, v8::Handle<v8::Value>(v8::Null()) };
// FIXME: Remove this code when we stop doing the 'with' hack above.
v8::Local<v8::Value> innerValue;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
