Status: New
Owner:
mikes...@gmail.com
Labels: Type-Defect Priority-High Component-Build
New issue 1956 by
kpr...@google.com: JS minifier (optimizer) transforms
comma expressions invalidly
https://code.google.com/p/google-caja/issues/detail?id=1956
The minifier incorrectly transforms
q = (1,y.z)();
to
q = y.z();
Additionally, I tried writing the obvious test case for this (in
JsOptimizerTest.java) and it hung in an infinite loop inside
ParseTreeKB.optimize:
+ public final void testCommaNotChanged() throws Exception {
+ assertOptimized(
+ js(fromString("q = (1,y.z)();")),
+ js(fromString("q = (1,y.z)();")));
+ }
This is not currently a vulnerability as we never use the (1,o.m)() form
statically in any critical location. However, it is a significant hazard
for future code changes (because we use this pattern in other ways and so
it looks like a fine thing to do).
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings