[V8] Ensure that invalid syntax in inline event handlers does not cause a crash
authorarv@chromium.org <arv@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Mar 2012 19:23:14 +0000 (19:23 +0000)
committerarv@chromium.org <arv@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Mar 2012 19:23:14 +0000 (19:23 +0000)
commit7d1fef508ec1c1801b8ce14b1d6ef317894911fc
tree7f0aa7258a5f02ecaa626d1736cfc0f8d870a9c4
parente5f42ffb3a426bf089ddb3c7f6b05b500548c6d5
[V8] Ensure that invalid syntax in inline event handlers does not cause a crash
https://bugs.webkit.org/show_bug.cgi?id=81385

Reviewed by Nate Chapin.

Source/WebCore:

The way that V8 does its inline event handler involves concatting strings and
if the attribute value is crafted in a special way this could cause a crash.

Test: fast/dom/inline-event-attributes-crash.html

* bindings/v8/V8LazyEventListener.cpp:
(WebCore::V8LazyEventListener::prepareListenerObject):

LayoutTests:

* fast/dom/inline-event-attributes-crash-expected.txt: Added.
* fast/dom/inline-event-attributes-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@111043 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/dom/inline-event-attributes-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/inline-event-attributes-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/bindings/v8/V8LazyEventListener.cpp