Issue 135054: fix fn.apply() and Array.slice() on IE[678] (Closed)
Descriptionthis fixes http://code.google.com/p/google-caja/issues/detail?id=1077
fn.apply() has trouble on IE[678] because IE's native apply
doesn't conform to standards. ES5 says that these
should all be equivalent:
fn.apply(x)
fn.apply(x, [])
fn.apply(x, null)
fn.apply(x, void 0)
but IE throws a type error for the last two.
there was a previous patch that fixed this problem in
most cases, but it didn't fix the case of valija-mode
Object.prototype.toString.apply(x)
which is a common technique to get the native type of x.
I think this patch now fixes fn.apply() behavior in
almost all cases. there are still two deviations from
ES5 behavior, mentioned in domita_test_untrusted.html
1. if fn.apply is the native apply, not a caja wrapper,
then fn.apply(x, null) will throw a type error on IE.
to fix that, fn.apply would have to always be a wrapper
on IE. I don't think it's worth fixing that, because
it's easy for programs to avoid the problem. and since
this is an existing browser incompatibility, it's
unlikely that programs rely on that specific behavior.
2. fn.apply(x, 9) is supposed to throw a type error,
but when fn.apply is a caja wrapper, it's sometimes
equivalent to fn.apply(x, undefined). to fix that,
the fn.apply wrappers that use Array.slice would have
to do a complex typecheck: throw an error unless
args is null or undefined or an array or an array-like
object like "arguments". I don't think that's worth
it, since I can't think of a plausible reason that
code would rely on getting a type error here.
Patch Set 1 #
Total comments: 13
Patch Set 2 : fix fn.apply() and Array.slice() on IE[678] #Patch Set 3 : fix fn.apply() and Array.slice() on IE[678] #
MessagesTotal messages: 7
|
||||||||||||||||||||||||||||
