void V8AbstractEventListener::handleEvent(ScriptExecutionContext* context, Event* event) { // Don't reenter V8 if execution was terminated in this instance of V8. if (context->isJSExecutionForbidden()) return; ASSERT(event); // The callback function on XMLHttpRequest can clear the event listener and destroys 'this' object. Keep a local reference to it. // See issue 889829. RefPtr<V8AbstractEventListener> protect(this); v8::HandleScope handleScope; v8::Local<v8::Context> v8Context = toV8Context(context, worldContext()); if (v8Context.IsEmpty()) return; // Enter the V8 context in which to perform the event handling. v8::Context::Scope scope(v8Context); // Get the V8 wrapper for the event object. v8::Handle<v8::Value> jsEvent = toV8(event); ASSERT(!jsEvent.IsEmpty()); invokeEventHandler(context, event, jsEvent); }
void V8AbstractEventListener::handleEvent(ScriptExecutionContext* context, Event* event) { // The callback function on XMLHttpRequest can clear the event listener and destroys 'this' object. Keep a local reference to it. // See issue 889829. RefPtr<V8AbstractEventListener> protect(this); v8::HandleScope handleScope; v8::Local<v8::Context> v8Context = toV8Context(context, worldContext()); if (v8Context.IsEmpty()) return; // Enter the V8 context in which to perform the event handling. v8::Context::Scope scope(v8Context); // Get the V8 wrapper for the event object. v8::Handle<v8::Value> jsEvent = V8DOMWrapper::convertEventToV8Object(event); invokeEventHandler(context, event, jsEvent); Document::updateStyleForAllDocuments(); }
void V8LazyEventListener::prepareListenerObject(ScriptExecutionContext* context) { if (hasExistingListenerObject()) return; if (context->isDocument() && !static_cast<Document*>(context)->contentSecurityPolicy()->allowInlineEventHandlers()) return; v8::HandleScope handleScope; V8Proxy* proxy = V8Proxy::retrieve(context); if (!proxy) return; // Use the outer scope to hold context. v8::Local<v8::Context> v8Context = worldContext().adjustedContext(proxy); // Bail out if we cannot get the context. if (v8Context.IsEmpty()) return; v8::Context::Scope scope(v8Context); // FIXME: cache the wrapper function. // Nodes other than the document object, when executing inline event // handlers push document, form, and the target node on the scope chain. // We do this by using 'with' statement. // See chrome/fast/forms/form-action.html // chrome/fast/forms/selected-index-value.html // base/fast/overflow/onscroll-layer-self-destruct.html // // Don't use new lines so that lines in the modified handler // have the same numbers as in the original code. // FIXME: What about m_eventParameterName from JSLazyEventListener? // FIXME: This approach is a giant hack! What if m_code escapes to run // arbitrary script? String code = "(function (evt) {" \ "with (this.ownerDocument ? this.ownerDocument : {}) {" \ "with (this.form ? this.form : {}) {" \ "with (this) {" \ "return (function(evt){"; code.append(m_code); // Insert '\n' otherwise //-style comments could break the handler. code.append( "\n}).call(this, evt);}}}})"); v8::Handle<v8::String> codeExternalString = v8ExternalString(code); v8::Handle<v8::Script> script = V8Proxy::compileScript(codeExternalString, m_sourceURL, m_position); if (!script.IsEmpty()) { v8::Local<v8::Value> value = proxy->runScript(script, false); if (!value.IsEmpty()) { ASSERT(value->IsFunction()); v8::Local<v8::Function> wrappedFunction = v8::Local<v8::Function>::Cast(value); // Change the toString function on the wrapper function to avoid it // returning the source for the actual wrapper function. Instead it // returns source for a clean wrapper function with the event // argument wrapping the event source code. The reason for this is // that some web sites use toString on event functions and eval the // source returned (sometimes a RegExp is applied as well) for some // other use. That fails miserably if the actual wrapper source is // returned. v8::Persistent<v8::FunctionTemplate>& toStringTemplate = V8BindingPerIsolateData::current()->lazyEventListenerToStringTemplate(); if (toStringTemplate.IsEmpty()) toStringTemplate = v8::Persistent<v8::FunctionTemplate>::New(v8::FunctionTemplate::New(V8LazyEventListenerToString)); v8::Local<v8::Function> toStringFunction; if (!toStringTemplate.IsEmpty()) toStringFunction = toStringTemplate->GetFunction(); if (!toStringFunction.IsEmpty()) { String toStringResult = "function "; toStringResult.append(m_functionName); toStringResult.append("("); toStringResult.append(m_isSVGEvent ? "evt" : "event"); toStringResult.append(") {\n "); toStringResult.append(m_code); toStringResult.append("\n}"); wrappedFunction->SetHiddenValue(V8HiddenPropertyName::toStringString(), v8ExternalString(toStringResult)); wrappedFunction->Set(v8::String::New("toString"), toStringFunction); } wrappedFunction->SetName(v8::String::New(fromWebCoreString(m_functionName), m_functionName.length())); setListenerObject(wrappedFunction); } } }
void V8LazyEventListener::prepareListenerObject(ScriptExecutionContext* context) { if (hasExistingListenerObject()) return; if (context->isDocument() && !static_cast<Document*>(context)->contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL, m_position.m_line)) return; v8::HandleScope handleScope; ASSERT(context->isDocument()); Frame* frame = static_cast<Document*>(context)->frame(); ASSERT(frame); if (!frame->script()->canExecuteScripts(NotAboutToExecuteScript)) return; // Use the outer scope to hold context. v8::Local<v8::Context> v8Context = toV8Context(context, worldContext()); // Bail out if we cannot get the context. if (v8Context.IsEmpty()) return; v8::Context::Scope scope(v8Context); // Nodes other than the document object, when executing inline event // handlers push document, form, and the target node on the scope chain. // We do this by using 'with' statement. // See chrome/fast/forms/form-action.html // chrome/fast/forms/selected-index-value.html // base/fast/overflow/onscroll-layer-self-destruct.html // // Don't use new lines so that lines in the modified handler // have the same numbers as in the original code. // FIXME: V8 does not allow us to programmatically create object environments so // we have to do this hack! What if m_code escapes to run arbitrary script? // // Call with 4 arguments instead of 3, pass additional null as the last parameter. // By calling the function with 4 arguments, we create a setter on arguments object // which would shadow property "3" on the prototype. String code = "(function() {" "with (this[2]) {" "with (this[1]) {" "with (this[0]) {" "return function(" + m_eventParameterName + ") {" + m_code + "\n" // Insert '\n' otherwise //-style comments could break the handler. "};" "}}}})"; v8::Handle<v8::String> codeExternalString = v8ExternalString(code); v8::Handle<v8::Script> script = ScriptSourceCode::compileScript(codeExternalString, m_sourceURL, m_position); if (script.IsEmpty()) return; // FIXME: Remove this code when we stop doing the 'with' hack above. v8::Local<v8::Value> value; { V8RecursionScope::MicrotaskSuppression scope; value = script->Run(); } if (value.IsEmpty()) return; // Call the outer function to get the inner function. ASSERT(value->IsFunction()); v8::Local<v8::Function> intermediateFunction = value.As<v8::Function>(); HTMLFormElement* formElement = 0; if (m_node && m_node->isHTMLElement()) formElement = static_cast<HTMLElement*>(m_node)->form(); v8::Handle<v8::Object> nodeWrapper = toObjectWrapper<Node>(m_node); v8::Handle<v8::Object> formWrapper = toObjectWrapper<HTMLFormElement>(formElement); v8::Handle<v8::Object> documentWrapper = toObjectWrapper<Document>(m_node ? m_node->ownerDocument() : 0); v8::Local<v8::Object> thisObject = v8::Object::New(); if (thisObject.IsEmpty()) return; if (!thisObject->ForceSet(v8UnsignedInteger(0), nodeWrapper)) return; if (!thisObject->ForceSet(v8UnsignedInteger(1), formWrapper)) return; if (!thisObject->ForceSet(v8UnsignedInteger(2), documentWrapper)) return; // FIXME: Remove this code when we stop doing the 'with' hack above. v8::Local<v8::Value> innerValue; { V8RecursionScope::MicrotaskSuppression scope; innerValue = intermediateFunction->Call(thisObject, 0, 0); } if (innerValue.IsEmpty() || !innerValue->IsFunction()) return; v8::Local<v8::Function> wrappedFunction = innerValue.As<v8::Function>(); // Change the toString function on the wrapper function to avoid it // returning the source for the actual wrapper function. Instead it // returns source for a clean wrapper function with the event // argument wrapping the event source code. The reason for this is // that some web sites use toString on event functions and eval the // source returned (sometimes a RegExp is applied as well) for some // other use. That fails miserably if the actual wrapper source is // returned. v8::Persistent<v8::FunctionTemplate>& toStringTemplate = V8PerIsolateData::current()->lazyEventListenerToStringTemplate(); if (toStringTemplate.IsEmpty()) toStringTemplate = v8::Persistent<v8::FunctionTemplate>::New(v8::FunctionTemplate::New(V8LazyEventListenerToString)); v8::Local<v8::Function> toStringFunction; if (!toStringTemplate.IsEmpty()) toStringFunction = toStringTemplate->GetFunction(); if (!toStringFunction.IsEmpty()) { String toStringString = "function " + m_functionName + "(" + m_eventParameterName + ") {\n " + m_code + "\n}"; wrappedFunction->SetHiddenValue(V8HiddenPropertyName::toStringString(), v8ExternalString(toStringString)); wrappedFunction->Set(v8::String::NewSymbol("toString"), toStringFunction); } wrappedFunction->SetName(v8String(m_functionName)); // FIXME: Remove the following comment-outs. // See https://bugs.webkit.org/show_bug.cgi?id=85152 for more details. // // For the time being, we comment out the following code since the // second parsing can happen. // // Since we only parse once, there's no need to keep data used for parsing around anymore. // m_functionName = String(); // m_code = String(); // m_eventParameterName = String(); // m_sourceURL = String(); setListenerObject(wrappedFunction); }
void V8AbstractEventListener::invokeEventHandler(ScriptExecutionContext* context, Event* event, v8::Handle<v8::Value> jsEvent) { // If jsEvent is empty, attempt to set it as a hidden value would crash v8. if (jsEvent.IsEmpty()) return; v8::Local<v8::Context> v8Context = toV8Context(context, worldContext()); if (v8Context.IsEmpty()) return; // We push the event being processed into the global object, so that it can be exposed by DOMWindow's bindings. v8::Handle<v8::String> eventSymbol = V8HiddenPropertyName::event(); v8::Local<v8::Value> returnValue; // In beforeunload/unload handlers, we want to avoid sleeps which do tight loops of calling Date.getTime(). if (event->type() == eventNames().beforeunloadEvent || event->type() == eventNames().unloadEvent) DateExtension::get()->setAllowSleep(false); { // Catch exceptions thrown in the event handler so they do not propagate to javascript code that caused the event to fire. v8::TryCatch tryCatch; tryCatch.SetVerbose(true); // Save the old 'event' property so we can restore it later. v8::Local<v8::Value> savedEvent = v8Context->Global()->GetHiddenValue(eventSymbol); tryCatch.Reset(); // Make the event available in the global object, so DOMWindow can expose it. v8Context->Global()->SetHiddenValue(eventSymbol, jsEvent); tryCatch.Reset(); returnValue = callListenerFunction(context, jsEvent, event); if (tryCatch.HasCaught()) event->target()->uncaughtExceptionInEventHandler(); if (!tryCatch.CanContinue()) { // Result of TerminateExecution(). #if ENABLE(WORKERS) if (context->isWorkerContext()) static_cast<WorkerContext*>(context)->script()->forbidExecution(); #endif return; } tryCatch.Reset(); // Restore the old event. This must be done for all exit paths through this method. if (savedEvent.IsEmpty()) v8Context->Global()->SetHiddenValue(eventSymbol, v8::Undefined()); else v8Context->Global()->SetHiddenValue(eventSymbol, savedEvent); tryCatch.Reset(); } if (event->type() == eventNames().beforeunloadEvent || event->type() == eventNames().unloadEvent) DateExtension::get()->setAllowSleep(true); ASSERT(!handleOutOfMemory() || returnValue.IsEmpty()); if (returnValue.IsEmpty()) return; if (!returnValue->IsNull() && !returnValue->IsUndefined() && event->storesResultAsString()) event->storeResult(toWebCoreString(returnValue)); if (m_isAttribute && shouldPreventDefault(returnValue)) event->preventDefault(); }
void V8AbstractEventListener::invokeEventHandler(ScriptExecutionContext* context, Event* event, v8::Handle<v8::Value> jsEvent) { v8::Local<v8::Context> v8Context = toV8Context(context, worldContext()); if (v8Context.IsEmpty()) return; // We push the event being processed into the global object, so that it can be exposed by DOMWindow's bindings. v8::Local<v8::String> eventSymbol = v8::String::NewSymbol("event"); v8::Local<v8::Value> returnValue; // In beforeunload/unload handlers, we want to avoid sleeps which do tight loops of calling Date.getTime(). if (event->type() == "beforeunload" || event->type() == "unload") DateExtension::get()->setAllowSleep(false); { // Catch exceptions thrown in the event handler so they do not propagate to javascript code that caused the event to fire. v8::TryCatch tryCatch; tryCatch.SetVerbose(true); // Save the old 'event' property so we can restore it later. v8::Local<v8::Value> savedEvent = v8Context->Global()->GetHiddenValue(eventSymbol); tryCatch.Reset(); // Make the event available in the global object, so DOMWindow can expose it. v8Context->Global()->SetHiddenValue(eventSymbol, jsEvent); tryCatch.Reset(); // Call the event handler. returnValue = callListenerFunction(context, jsEvent, event); if (!tryCatch.CanContinue()) return; // If an error occurs while handling the event, it should be reported. if (tryCatch.HasCaught()) { reportException(0, tryCatch); tryCatch.Reset(); } // Restore the old event. This must be done for all exit paths through this method. if (savedEvent.IsEmpty()) v8Context->Global()->SetHiddenValue(eventSymbol, v8::Undefined()); else v8Context->Global()->SetHiddenValue(eventSymbol, savedEvent); tryCatch.Reset(); } if (event->type() == "beforeunload" || event->type() == "unload") DateExtension::get()->setAllowSleep(true); ASSERT(!V8Proxy::handleOutOfMemory() || returnValue.IsEmpty()); if (returnValue.IsEmpty()) return; if (!returnValue->IsNull() && !returnValue->IsUndefined() && event->storesResultAsString()) event->storeResult(toWebCoreString(returnValue)); // Prevent default action if the return value is false; // FIXME: Add example, and reference to bug entry. if (m_isAttribute && returnValue->IsBoolean() && !returnValue->BooleanValue()) event->preventDefault(); }
void V8LazyEventListener::prepareListenerObject(ScriptExecutionContext* context) { if (hasExistingListenerObject()) return; if (context->isDocument() && !static_cast<Document*>(context)->contentSecurityPolicy()->allowInlineEventHandlers()) return; v8::HandleScope handleScope; V8Proxy* proxy = V8Proxy::retrieve(context); if (!proxy) return; ASSERT(context->isDocument()); if (!static_cast<Document*>(context)->frame()->script()->canExecuteScripts(NotAboutToExecuteScript)) return; // Use the outer scope to hold context. v8::Local<v8::Context> v8Context = worldContext().adjustedContext(proxy); // Bail out if we cannot get the context. if (v8Context.IsEmpty()) return; v8::Context::Scope scope(v8Context); // Nodes other than the document object, when executing inline event // handlers push document, form, and the target node on the scope chain. // We do this by using 'with' statement. // See chrome/fast/forms/form-action.html // chrome/fast/forms/selected-index-value.html // base/fast/overflow/onscroll-layer-self-destruct.html // // Don't use new lines so that lines in the modified handler // have the same numbers as in the original code. // FIXME: V8 does not allow us to programmatically create object environments so // we have to do this hack! What if m_code escapes to run arbitrary script? // String code = "(function() {" \ "with (arguments[2]) {" \ "with (arguments[1]) {" \ "with (arguments[0]) {"; code.append("return function("); code.append(m_eventParameterName); code.append(") {"); code.append(m_code); // Insert '\n' otherwise //-style comments could break the handler. code.append("\n};}}}})"); v8::Handle<v8::String> codeExternalString = v8ExternalString(code); v8::Handle<v8::Script> script = V8Proxy::compileScript(codeExternalString, m_sourceURL, m_position); if (script.IsEmpty()) return; // Call v8::Script::Run() directly to avoid an erroneous call to V8RecursionScope::didLeaveScriptContext(). // FIXME: Remove this code when we stop doing the 'with' hack above. v8::Local<v8::Value> value = script->Run(); if (value.IsEmpty()) return; // Call the outer function to get the inner function. ASSERT(value->IsFunction()); v8::Local<v8::Function> intermediateFunction = value.As<v8::Function>(); v8::Handle<v8::Object> nodeWrapper = toObjectWrapper<Node>(m_node.get()); v8::Handle<v8::Object> formWrapper = toObjectWrapper<HTMLFormElement>(m_formElement.get()); v8::Handle<v8::Object> documentWrapper = toObjectWrapper<Document>(m_node ? m_node->ownerDocument() : 0); m_node.clear(); m_formElement.clear(); v8::Handle<v8::Value> parameters[3] = { nodeWrapper, formWrapper, documentWrapper }; // Use Call directly to avoid an erroneous call to V8RecursionScope::didLeaveScriptContext(). // FIXME: Remove this code when we stop doing the 'with' hack above. v8::Local<v8::Value> innerValue = intermediateFunction->Call(v8Context->Global(), 3, parameters); if (innerValue.IsEmpty() || !innerValue->IsFunction()) return; v8::Local<v8::Function> wrappedFunction = innerValue.As<v8::Function>(); // Change the toString function on the wrapper function to avoid it // returning the source for the actual wrapper function. Instead it // returns source for a clean wrapper function with the event // argument wrapping the event source code. The reason for this is // that some web sites use toString on event functions and eval the // source returned (sometimes a RegExp is applied as well) for some // other use. That fails miserably if the actual wrapper source is // returned. v8::Persistent<v8::FunctionTemplate>& toStringTemplate = V8BindingPerIsolateData::current()->lazyEventListenerToStringTemplate(); if (toStringTemplate.IsEmpty()) toStringTemplate = v8::Persistent<v8::FunctionTemplate>::New(v8::FunctionTemplate::New(V8LazyEventListenerToString)); v8::Local<v8::Function> toStringFunction; if (!toStringTemplate.IsEmpty()) toStringFunction = toStringTemplate->GetFunction(); if (!toStringFunction.IsEmpty()) { String toStringResult = "function "; toStringResult.append(m_functionName); toStringResult.append("("); toStringResult.append(m_eventParameterName); toStringResult.append(") {\n "); toStringResult.append(m_code); toStringResult.append("\n}"); wrappedFunction->SetHiddenValue(V8HiddenPropertyName::toStringString(), v8ExternalString(toStringResult)); wrappedFunction->Set(v8::String::NewSymbol("toString"), toStringFunction); } wrappedFunction->SetName(v8::String::New(fromWebCoreString(m_functionName), m_functionName.length())); setListenerObject(wrappedFunction); }