void V8LazyEventListener::prepareListenerObject(ExecutionContext* context) { if (context->isDocument() && !toDocument(context)->allowInlineEventHandlers(m_node, this, m_sourceURL, m_position.m_line)) { clearListenerObject(); return; } if (hasExistingListenerObject()) return; ASSERT(context->isDocument()); v8::Isolate* isolate = toIsolate(context); v8::HandleScope handleScope(isolate); // Use the outer scope to hold context. v8::Local<v8::Context> v8Context = toV8Context(context, world()); // Bail out if we cannot get the context. if (v8Context.IsEmpty()) return; v8::Context::Scope scope(v8Context); String listenerSource = InspectorInstrumentation::preprocessEventListener(toDocument(context)->frame(), m_code, m_sourceURL, m_functionName); // FIXME: Remove the following 'with' hack. // // Nodes other than the document object, when executing inline event // handlers push document, form owner, and the target node on the scope chain. // We do this by using 'with' statement. // See chrome/fast/forms/form-action.html // chrome/fast/forms/selected-index-value.html // base/fast/overflow/onscroll-layer-self-destruct.html // // Don't use new lines so that lines in the modified handler // have the same numbers as in the original code. // FIXME: V8 does not allow us to programmatically create object environments so // we have to do this hack! What if m_code escapes to run arbitrary script? // // Call with 4 arguments instead of 3, pass additional null as the last parameter. // By calling the function with 4 arguments, we create a setter on arguments object // which would shadow property "3" on the prototype. String code = "(function() {" "with (this[2]) {" "with (this[1]) {" "with (this[0]) {" "return function(" + m_eventParameterName + ") {" + listenerSource + "\n" // Insert '\n' otherwise //-style comments could break the handler. "};" "}}}})"; v8::Handle<v8::String> codeExternalString = v8String(isolate, code); v8::Local<v8::Value> result = V8ScriptRunner::compileAndRunInternalScript(codeExternalString, isolate, m_sourceURL, m_position, 0); if (result.IsEmpty()) return; // Call the outer function to get the inner function. ASSERT(result->IsFunction()); v8::Local<v8::Function> intermediateFunction = result.As<v8::Function>(); HTMLFormElement* formElement = 0; if (m_node && m_node->isHTMLElement()) formElement = toHTMLElement(m_node)->formOwner(); v8::Handle<v8::Object> nodeWrapper = toObjectWrapper<Node>(m_node, isolate); v8::Handle<v8::Object> formWrapper = toObjectWrapper<HTMLFormElement>(formElement, isolate); v8::Handle<v8::Object> documentWrapper = toObjectWrapper<Document>(m_node ? m_node->ownerDocument() : 0, isolate); v8::Local<v8::Object> thisObject = v8::Object::New(isolate); if (thisObject.IsEmpty()) return; if (!thisObject->ForceSet(v8::Integer::New(isolate, 0), nodeWrapper)) return; if (!thisObject->ForceSet(v8::Integer::New(isolate, 1), formWrapper)) return; if (!thisObject->ForceSet(v8::Integer::New(isolate, 2), documentWrapper)) return; // FIXME: Remove this code when we stop doing the 'with' hack above. v8::Local<v8::Value> innerValue = V8ScriptRunner::callInternalFunction(intermediateFunction, thisObject, 0, 0, isolate); if (innerValue.IsEmpty() || !innerValue->IsFunction()) return; v8::Local<v8::Function> wrappedFunction = innerValue.As<v8::Function>(); // Change the toString function on the wrapper function to avoid it // returning the source for the actual wrapper function. Instead it // returns source for a clean wrapper function with the event // argument wrapping the event source code. The reason for this is // that some web sites use toString on event functions and eval the // source returned (sometimes a RegExp is applied as well) for some // other use. That fails miserably if the actual wrapper source is // returned. v8::Local<v8::Function> toStringFunction = v8::Function::New(isolate, V8LazyEventListenerToString); ASSERT(!toStringFunction.IsEmpty()); String toStringString = "function " + m_functionName + "(" + m_eventParameterName + ") {\n " + m_code + "\n}"; setHiddenValue(isolate, wrappedFunction, "toStringString", v8String(isolate, toStringString)); wrappedFunction->Set(v8AtomicString(isolate, "toString"), toStringFunction); wrappedFunction->SetName(v8String(isolate, m_functionName)); // FIXME: Remove the following comment-outs. // See https://bugs.webkit.org/show_bug.cgi?id=85152 for more details. // // For the time being, we comment out the following code since the // second parsing can happen. // // Since we only parse once, there's no need to keep data used for parsing around anymore. // m_functionName = String(); // m_code = String(); // m_eventParameterName = String(); // m_sourceURL = String(); setListenerObject(wrappedFunction); }
void V8LazyEventListener::prepareListenerObject(ExecutionContext* executionContext) { if (!executionContext) return; // A ScriptState used by the event listener needs to be calculated based on // the ExecutionContext that fired the the event listener and the world // that installed the event listener. v8::HandleScope handleScope(toIsolate(executionContext)); v8::Local<v8::Context> v8Context = toV8Context(executionContext, world()); if (v8Context.IsEmpty()) return; ScriptState* scriptState = ScriptState::from(v8Context); if (!scriptState->contextIsValid()) return; if (!executionContext->isDocument()) return; if (!toDocument(executionContext)->allowInlineEventHandlers(m_node, this, m_sourceURL, m_position.m_line)) { clearListenerObject(); return; } if (hasExistingListenerObject()) return; ScriptState::Scope scope(scriptState); // Nodes other than the document object, when executing inline event // handlers push document, form owner, and the target node on the scope chain. // We do this by using 'with' statement. // See fast/forms/form-action.html // fast/forms/selected-index-value.html // fast/overflow/onscroll-layer-self-destruct.html HTMLFormElement* formElement = 0; if (m_node && m_node->isHTMLElement()) formElement = toHTMLElement(m_node)->formOwner(); v8::Local<v8::Object> scopes[3]; scopes[2] = toObjectWrapper<Node>(m_node, scriptState); scopes[1] = toObjectWrapper<HTMLFormElement>(formElement, scriptState); scopes[0] = toObjectWrapper<Document>(m_node ? m_node->ownerDocument() : 0, scriptState); v8::Local<v8::String> parameterName = v8String(isolate(), m_eventParameterName); v8::ScriptOrigin origin( v8String(isolate(), m_sourceURL), v8::Integer::New(isolate(), m_position.m_line.zeroBasedInt()), v8::Integer::New(isolate(), m_position.m_column.zeroBasedInt()), v8::True(isolate()), v8::Local<v8::Integer>(), v8::True(isolate())); v8::ScriptCompiler::Source source(v8String(isolate(), m_code), origin); v8::Local<v8::Function> wrappedFunction; { // JavaScript compilation error shouldn't be reported as a runtime // exception because we're not running any program code. Instead, // it should be reported as an ErrorEvent. v8::TryCatch block(isolate()); wrappedFunction = v8::ScriptCompiler::CompileFunctionInContext(isolate(), &source, v8Context, 1, ¶meterName, 3, scopes); if (block.HasCaught()) { fireErrorEvent(v8Context, executionContext, block.Message()); return; } } // Change the toString function on the wrapper function to avoid it // returning the source for the actual wrapper function. Instead it // returns source for a clean wrapper function with the event // argument wrapping the event source code. The reason for this is // that some web sites use toString on event functions and eval the // source returned (sometimes a RegExp is applied as well) for some // other use. That fails miserably if the actual wrapper source is // returned. v8::Local<v8::Function> toStringFunction = v8::Function::New(isolate(), V8LazyEventListenerToString); if (toStringFunction.IsEmpty()) return; String toStringString = "function " + m_functionName + "(" + m_eventParameterName + ") {\n " + m_code + "\n}"; V8HiddenValue::setHiddenValue(scriptState, wrappedFunction, V8HiddenValue::toStringString(isolate()), v8String(isolate(), toStringString)); if (!v8CallBoolean(wrappedFunction->Set(scriptState->context(), v8AtomicString(isolate(), "toString"), toStringFunction))) return; wrappedFunction->SetName(v8String(isolate(), m_functionName)); // FIXME: Remove the following comment-outs. // See https://bugs.webkit.org/show_bug.cgi?id=85152 for more details. // // For the time being, we comment out the following code since the // second parsing can happen. // // Since we only parse once, there's no need to keep data used for parsing around anymore. // m_functionName = String(); // m_code = String(); // m_eventParameterName = String(); // m_sourceURL = String(); setListenerObject(wrappedFunction, scriptState); }