1 files changed, 24 insertions, 12 deletions

diff --git a/WebCore/bindings/js/ScriptController.cpp b/WebCore/bindings/js/ScriptController.cpp
index 2f676c0..8908155 100644
--- a/WebCore/bindings/js/ScriptController.cpp
+++ b/WebCore/bindings/js/ScriptController.cpp
@@ -33,6 +33,7 @@
 #include "ScriptSourceCode.h"
 #include "ScriptValue.h"
 #include "Settings.h"
+#include "XSSAuditor.h"
 #include "npruntime_impl.h"
 #include "runtime_root.h"
 #include <debugger/Debugger.h>
@@ -55,6 +56,7 @@ ScriptController::ScriptController(Frame* frame)
 #if PLATFORM(MAC)
     , m_windowScriptObject(0)
 #endif
+    , m_XSSAuditor(new XSSAuditor(frame))
 {
 #if PLATFORM(MAC) && ENABLE(MAC_JAVA_BRIDGE)
     static bool initializedJavaJSBindings;
@@ -79,10 +81,21 @@ ScriptController::~ScriptController()
 
 ScriptValue ScriptController::evaluate(const ScriptSourceCode& sourceCode) 
 {
+    const SourceCode& jsSourceCode = sourceCode.jsSourceCode();
+    String sourceURL = jsSourceCode.provider()->url();
+    
+    if (sourceURL.isNull() && !m_XSSAuditor->canEvaluateJavaScriptURL(sourceCode.source())) {
+        // This JavaScript URL is not safe to be evaluated.
+        return JSValue();
+    }
+    
+    if (!sourceURL.isNull() && !m_XSSAuditor->canEvaluate(sourceCode.source())) {
+        // This script is not safe to be evaluated.
+        return JSValue();
+    }
+
     // evaluate code. Returns the JS return value or 0
     // if there was none, an error occured or the type couldn't be converted.
-    
-    const SourceCode& jsSourceCode = sourceCode.jsSourceCode();
 
     initScriptIfNeeded();
     // inlineCode is true for <a href="javascript:doSomething()">
@@ -91,10 +104,9 @@ ScriptValue ScriptController::evaluate(const ScriptSourceCode& sourceCode)
     // See smart window.open policy for where this is used.
     ExecState* exec = m_windowShell->window()->globalExec();
     const String* savedSourceURL = m_sourceURL;
-    String sourceURL = jsSourceCode.provider()->url();
     m_sourceURL = &sourceURL;
 
-    JSLock lock(false);
+    JSLock lock(SilenceAssertionsOnly);
 
     RefPtr<Frame> protect = m_frame;
 
@@ -123,7 +135,7 @@ void ScriptController::clearWindowShell()
     if (!m_windowShell)
         return;
 
-    JSLock lock(false);
+    JSLock lock(SilenceAssertionsOnly);
 
     // Clear the debugger from the current window before setting the new window.
     attachDebugger(0);
@@ -145,7 +157,7 @@ void ScriptController::initScript()
     if (m_windowShell)
         return;
 
-    JSLock lock(false);
+    JSLock lock(SilenceAssertionsOnly);
 
     m_windowShell = new JSDOMWindowShell(m_frame->domWindow());
     m_windowShell->window()->updateDocument();
@@ -242,7 +254,7 @@ void ScriptController::updateDocument()
     if (!m_frame->document())
         return;
 
-    JSLock lock(false);
+    JSLock lock(SilenceAssertionsOnly);
     if (m_windowShell)
         m_windowShell->window()->updateDocument();
 }
@@ -258,7 +270,7 @@ Bindings::RootObject* ScriptController::bindingRootObject()
         return 0;
 
     if (!m_bindingRootObject) {
-        JSLock lock(false);
+        JSLock lock(SilenceAssertionsOnly);
         m_bindingRootObject = Bindings::RootObject::create(0, globalObject());
     }
     return m_bindingRootObject.get();
@@ -284,7 +296,7 @@ NPObject* ScriptController::windowScriptNPObject()
         if (isEnabled()) {
             // JavaScript is enabled, so there is a JavaScript window object.
             // Return an NPObject bound to the window object.
-            JSC::JSLock lock(false);
+            JSC::JSLock lock(SilenceAssertionsOnly);
             JSObject* win = windowShell()->window();
             ASSERT(win);
             Bindings::RootObject* root = bindingRootObject();
@@ -318,9 +330,9 @@ JSObject* ScriptController::jsObjectForPluginElement(HTMLPlugInElement* plugin)
         return 0;
 
     // Create a JSObject bound to this element
-    JSLock lock(false);
+    JSLock lock(SilenceAssertionsOnly);
     ExecState* exec = globalObject()->globalExec();
-    JSValue jsElementValue = toJS(exec, plugin);
+    JSValue jsElementValue = toJS(exec, globalObject(), plugin);
     if (!jsElementValue || !jsElementValue.isObject())
         return 0;
     
@@ -352,7 +364,7 @@ void ScriptController::cleanupScriptObjectsForPlugin(void* nativeHandle)
 
 void ScriptController::clearScriptObjects()
 {
-    JSLock lock(false);
+    JSLock lock(SilenceAssertionsOnly);
 
     RootObjectMap::const_iterator end = m_rootObjects.end();
     for (RootObjectMap::const_iterator it = m_rootObjects.begin(); it != end; ++it)