[V8] Ensure that invalid syntax in inline event handlers does not cause a crash
https://bugs.webkit.org/show_bug.cgi?id=81385
Reviewed by Nate Chapin.
Source/WebCore:
The way that V8 does its inline event handler involves concatting strings and
if the attribute value is crafted in a special way this could cause a crash.
Test: fast/dom/inline-event-attributes-crash.html
* bindings/v8/V8LazyEventListener.cpp:
(WebCore::V8LazyEventListener::prepareListenerObject):
LayoutTests:
* fast/dom/inline-event-attributes-crash-expected.txt: Added.
* fast/dom/inline-event-attributes-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@111043 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/fast/dom/inline-event-attributes-crash.html b/LayoutTests/fast/dom/inline-event-attributes-crash.html
new file mode 100644
index 0000000..05c5772
--- /dev/null
+++ b/LayoutTests/fast/dom/inline-event-attributes-crash.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<script src="../js/resources/js-test-pre.js"></script>
+<script>
+
+description('Tests that malformed code in event handler attributes does not cause a crash');
+
+function dispatchClick(element)
+{
+ var clickEvent = document.createEvent('MouseEvent');
+ clickEvent.initMouseEvent('click', true, false, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
+ element.dispatchEvent(clickEvent);
+}
+
+var div = document.createElement('div');
+div.setAttribute('onclick', 'return 42; }(); var x = {');
+dispatchClick(div);
+
+</script>
+<script src="../js/resources/js-test-post.js"></script>
\ No newline at end of file
