kylefang/angular.js
1
0
Fork 0
mirror of https://github.com/zhigang1992/angular.js.git synced 2026-01-12 22:45:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix($parse): prevent invocation of Function's bind, call and apply

Browse Source 
BREAKING CHANGE:
You can no longer invoke .bind, .call or .apply on a function in angular expressions.
This is to disallow changing the behaviour of existing functions
in an unforseen fashion.
This commit is contained in:
rodyhaddad
2014-06-26 15:25:11 -07:00
committed by Igor Minar
parent 0af70eb99e
commit 07fa87a8a8
3 changed files with 76 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docs/content/error/$parse/isecff.ngdoc Normal file
View File

@@ -0,0 +1,17 @@
@ngdoc error
@name $parse:isecff
@fullName Referencing 'call', 'apply' and 'bind' Disallowed
@description
Occurs when an expression attempts to invoke Function's 'call', 'apply' or 'bind'.
Angular bans the invocation of 'call', 'apply' and 'bind' from within expressions
since access is a known way to modify the behaviour of existing functions.
To resolve this error, avoid using these methods in expressions.
Example expression that would result in this error:
```
<div>{{user.sendInfo.call({}, true)}}</div>
```

8
src/ng/parse.js
View File

@@ -64,12 +64,20 @@ function ensureSafeObject(obj, fullExpression) {
return obj;
}
var CALL = Function.prototype.call;
var APPLY = Function.prototype.apply;
var BIND = Function.prototype.bind;
function ensureSafeFunction(obj, fullExpression) {
if (obj) {
if (obj.constructor === obj) {
throw $parseMinErr('isecfn',
'Referencing Function in Angular expressions is disallowed! Expression: {0}',
fullExpression);
} else if (obj === CALL || obj === APPLY || obj === BIND) {
throw $parseMinErr('isecff',
'Referencing call, apply or bind in Angular expressions is disallowed! Expression: {0}',
fullExpression);
}
}
}

52
test/ng/parseSpec.js
View File

@@ -698,6 +698,56 @@ describe('parser', function() {
});
});
describe('Function prototype functions', function () {
it('should NOT allow invocation to Function.call', function() {
scope.fn = Function.prototype.call;
expect(function() {
scope.$eval('$eval.call()')
}).toThrowMinErr(
'$parse', 'isecff', 'Referencing call, apply or bind in Angular expressions is disallowed! ' +
'Expression: $eval.call()');
expect(function() {
scope.$eval('fn()')
}).toThrowMinErr(
'$parse', 'isecff', 'Referencing call, apply or bind in Angular expressions is disallowed! ' +
'Expression: fn()');
});
it('should NOT allow invocation to Function.apply', function() {
scope.apply = Function.prototype.apply;
expect(function() {
scope.$eval('$eval.apply()')
}).toThrowMinErr(
'$parse', 'isecff', 'Referencing call, apply or bind in Angular expressions is disallowed! ' +
'Expression: $eval.apply()');
expect(function() {
scope.$eval('apply()')
}).toThrowMinErr(
'$parse', 'isecff', 'Referencing call, apply or bind in Angular expressions is disallowed! ' +
'Expression: apply()');
});
it('should NOT allow invocation to Function.bind', function() {
scope.bind = Function.prototype.bind;
expect(function() {
scope.$eval('$eval.bind()')
}).toThrowMinErr(
'$parse', 'isecff', 'Referencing call, apply or bind in Angular expressions is disallowed! ' +
'Expression: $eval.bind()');
expect(function() {
scope.$eval('bind()')
}).toThrowMinErr(
'$parse', 'isecff', 'Referencing call, apply or bind in Angular expressions is disallowed! ' +
'Expression: bind()');
});
});
describe('Object constructor', function() {
it('should NOT allow access to Object constructor that has been aliased', function() {
@@ -1053,7 +1103,7 @@ describe('parser', function() {
}));
});
describe('constant', function() {
it('should mark scalar value expressions as constant', inject(function($parse) {
expect($parse('12.3').constant).toBe(true);