DevTools: Switch from Value to JSON.

webkit/glue/devtools/js/inject_dispatch.js

Index: webkit/glue/devtools/js/inject_dispatch.js
===================================================================
--- webkit/glue/devtools/js/inject_dispatch.js	(revision 24437)
+++ webkit/glue/devtools/js/inject_dispatch.js	(working copy)
@@ -28,10 +28,28 @@
   var params = JSON.parse(json_args);
   var result = devtools$$obj[functionName].apply(devtools$$obj, params);
   return JSON.stringify(result);
-};
+}
 
 
 /**
+ * Removes malicious functions from the objects so that the pure JSON.stringify
+ * was used.
+ */
+function sanitizeJson(obj) {
+  for (var name in obj) {
+    var property = obj[name];
+    var type = typeof property;
+    if (type === "function") {
+      obj[name] = null;

[yurys, 2009/08/26 11:51:42]

is it safe to do in the 'for in' loop?

+    } else if (type === "object") {
+      sanitizeJson(property);

[yurys, 2009/08/26 11:51:42]

this will fail if property is null because typeof null ==
'object'

+    }
+  }
+  return obj;
+}
+
+
+/**
  * This is called by the InspectorFrontend for serialization.
  * We serialize the call and send it to the client over the IPC
  * using dispatchOut bound method.
@@ -48,6 +66,7 @@
     // parameters.
     return;
   }
-  var call = JSON.stringify(args);
+
+  var call = JSON.stringify(sanitizeJson(args));
   DevToolsAgentHost.dispatch(call);
 };