diff options
Diffstat (limited to 'WebCore/bindings/v8/custom/V8DocumentCustom.cpp')
| -rw-r--r-- | WebCore/bindings/v8/custom/V8DocumentCustom.cpp | 46 |
1 files changed, 40 insertions, 6 deletions
diff --git a/WebCore/bindings/v8/custom/V8DocumentCustom.cpp b/WebCore/bindings/v8/custom/V8DocumentCustom.cpp index ee68293..4aedde5 100644 --- a/WebCore/bindings/v8/custom/V8DocumentCustom.cpp +++ b/WebCore/bindings/v8/custom/V8DocumentCustom.cpp @@ -29,9 +29,10 @@ */ #include "config.h" -#include "Document.h" +#include "V8Document.h" #include "CanvasRenderingContext.h" +#include "Document.h" #include "ExceptionCode.h" #include "Node.h" #include "XPathNSResolver.h" @@ -53,16 +54,21 @@ namespace WebCore { -CALLBACK_FUNC_DECL(DocumentEvaluate) +v8::Handle<v8::Value> V8Document::evaluateCallback(const v8::Arguments& args) { INC_STATS("DOM.Document.evaluate()"); +<<<<<<< HEAD #if ENABLE(XPATH) RefPtr<Document> document = V8DOMWrapper::convertDOMWrapperToNode<Document>(args.Holder()); +======= + + RefPtr<Document> document = V8Document::toNative(args.Holder()); +>>>>>>> webkit.org at r54127 ExceptionCode ec = 0; String expression = toWebCoreString(args[0]); RefPtr<Node> contextNode; if (V8Node::HasInstance(args[1])) - contextNode = V8DOMWrapper::convertDOMWrapperToNode<Node>(v8::Handle<v8::Object>::Cast(args[1])); + contextNode = V8Node::toNative(v8::Handle<v8::Object>::Cast(args[1])); RefPtr<XPathNSResolver> resolver = V8DOMWrapper::getXPathNSResolver(args[2], V8Proxy::retrieve(V8Proxy::retrieveFrameForCallingContext())); if (!resolver && !args[2]->IsNull() && !args[2]->IsUndefined()) @@ -71,7 +77,7 @@ CALLBACK_FUNC_DECL(DocumentEvaluate) int type = toInt32(args[3]); RefPtr<XPathResult> inResult; if (V8XPathResult::HasInstance(args[4])) - inResult = V8DOMWrapper::convertToNativeObject<XPathResult>(V8ClassIndex::XPATHRESULT, v8::Handle<v8::Object>::Cast(args[4])); + inResult = V8XPathResult::toNative(v8::Handle<v8::Object>::Cast(args[4])); v8::TryCatch exceptionCatcher; RefPtr<XPathResult> result = document->evaluate(expression, contextNode.get(), resolver.get(), type, inResult.get(), ec); @@ -88,11 +94,11 @@ CALLBACK_FUNC_DECL(DocumentEvaluate) } -CALLBACK_FUNC_DECL(DocumentGetCSSCanvasContext) +v8::Handle<v8::Value> V8Document::getCSSCanvasContextCallback(const v8::Arguments& args) { INC_STATS("DOM.Document.getCSSCanvasContext"); v8::Handle<v8::Object> holder = args.Holder(); - Document* imp = V8DOMWrapper::convertDOMWrapperToNode<Document>(holder); + Document* imp = V8Document::toNative(holder); String contextId = toWebCoreString(args[0]); String name = toWebCoreString(args[1]); int width = toInt32(args[2]); @@ -110,4 +116,32 @@ CALLBACK_FUNC_DECL(DocumentGetCSSCanvasContext) return v8::Undefined(); } + +// DOMImplementation is a singleton in WebCore. If we use our normal +// mapping from DOM objects to V8 wrappers, the same wrapper will be +// shared for all frames in the same process. This is a major +// security problem. Therefore, we generate a DOMImplementation +// wrapper per document and store it in an internal field of the +// document. Since the DOMImplementation object is a singleton, we do +// not have to do anything to keep the DOMImplementation object alive +// for the lifetime of the wrapper. +v8::Handle<v8::Value> V8Document::implementationAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info) +{ + ASSERT(info.Holder()->InternalFieldCount() >= internalFieldCount); + + // Check if the internal field already contains a wrapper. + v8::Local<v8::Value> implementation = info.Holder()->GetInternalField(V8Document::implementationIndex); + if (!implementation->IsUndefined()) + return implementation; + + // Generate a wrapper. + Document* document = V8Document::toNative(info.Holder()); + v8::Handle<v8::Value> wrapper = V8DOMWrapper::convertDOMImplementationToV8Object(document->implementation()); + + // Store the wrapper in the internal field. + info.Holder()->SetInternalField(implementationIndex, wrapper); + + return wrapper; +} + } // namespace WebCore |