On Sep 26, 12:12 pm, Norris Boyd <[EMAIL PROTECTED]> wrote:
> On Sep 13, 8:22 pm, wolffiex <[EMAIL PROTECTED]> wrote:
>
>
>
> > Hi everyone,
> > I found a little surprising behavior today with Rhino. I don't know if
> > this is a bug; I'm hoping someone will weigh in. It appears that
> > instanceof doesn't work on objects from a foreign scope. I assume this
> > is because instanceof just looks up the prototype chain, but I wonder
> > if that is the correct implementation, given the fact that you can
> > pass objects from one scope to another using Rhino and Java. Here's my
> > little testcase:
>
> > import org.junit.Test;
> > import org.mozilla.javascript.ContextFactory;
> > import org.mozilla.javascript.Context;
> > import org.mozilla.javascript.Scriptable;
> > import org.mozilla.javascript.ScriptableObject;
>
> > public class ObjectSurprise {
> > @Test
> > public void showBug(){
> > ContextFactory factory = new ContextFactory();
> > Context cx1 = factory.enterContext();
> > Context cx2 = factory.enterContext();
> > final Scriptable scope1 = cx1.initStandardObjects();
>
> > cx1.evaluateString(scope1,
> > "tryMe = function(){return {};}",
> > "tryMe", 1, null);
>
> > Scriptable result = (Scriptable)
> > ScriptableObject.callMethod(scope1, "tryMe", new Object[]
> > {});
>
> > String throwIfNotObject =
> > "isObject = function(obj){ if( !(obj instanceof
> > Object)) throw('not an object');}";
>
> > cx1.evaluateString(scope1, throwIfNotObject, "isObject", 1,
> > null);
> > Object [] arg = { result };
>
> > //doesn't throw, as expected
> > ScriptableObject.callMethod(scope1, "isObject", arg);
> > Context.exit();
>
> > final Scriptable scope2 = cx2.initStandardObjects();
> > cx2.evaluateString(scope2, throwIfNotObject, "isObject", 1,
> > null);
>
> > //throws -- unexpected
> > ScriptableObject.callMethod(scope2, "isObject", arg);
> > Context.exit();
> > }
>
> > }
>
> You're right: instanceof just walks up the prototype chain looking for
> the object. Mixing objects from two separate initStandardObject calls
> is problematic in general; why do you need to do this?
>
> --N
Hi Norris,
Thanks for the reply. This is how I'm handling JSON data from
untrusted sources: I inflate the object in a security-guarded context,
and then inject it into the context where my script is running. Is
this a bad idea? Should I make sure that the different contexts share
a sealed version of the same top level scope?
A
_______________________________________________
dev-tech-js-engine-rhino mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino