Bug 1340145 - Don't allow HTML comments in module scripts r=anba

2024-11-29 07:42:04 +00:00 · 2017-02-21 17:18:04 +00:00 · 2017-02-21 17:18:04 +00:00 · 7b865b5def
commit 7b865b5def
parent 6f6fe80e74
4 changed files with 20 additions and 12 deletions
--- a/js/src/builtin/ReflectParse.cpp
+++ b/js/src/builtin/ReflectParse.cpp
@ -3696,6 +3696,7 @@ reflect_parse(JSContext* cx, uint32_t argc, Value* vp)
    CompileOptions options(cx);
    options.setFileAndLine(filename, lineno);
    options.setCanLazilyParse(false);
+    options.allowHTMLComments = target == ParseTarget::Script;
    mozilla::Range<const char16_t> chars = linearChars.twoByteRange();
    UsedNameTracker usedNames(cx);
    if (!usedNames.init())
--- a/js/src/frontend/BytecodeCompiler.cpp
+++ b/js/src/frontend/BytecodeCompiler.cpp
@ -589,6 +589,7 @@ frontend::CompileModule(JSContext* cx, const ReadOnlyCompileOptions& optionsInpu
    CompileOptions options(cx, optionsInput);
    options.maybeMakeStrictMode(true); // ES6 10.2.1 Module code is always strict mode code.
    options.setIsRunOnce(true);
+    options.allowHTMLComments = false;

    RootedScope emptyGlobalScope(cx, &cx->global()->emptyGlobalScope());
    BytecodeCompiler compiler(cx, alloc, options, srcBuf, emptyGlobalScope,
--- a/js/src/frontend/TokenStream.cpp
+++ b/js/src/frontend/TokenStream.cpp
@ -1719,14 +1719,16 @@ TokenStream::getTokenInternal(TokenKind* ttp, Modifier modifier)
        goto out;

      case '<':
-        // NB: treat HTML begin-comment as comment-till-end-of-line.
-        if (matchChar('!')) {
-            if (matchChar('-')) {
-                if (matchChar('-'))
-                    goto skipline;
-                ungetChar('-');
+        if (options().allowHTMLComments) {
+            // Treat HTML begin-comment as comment-till-end-of-line.
+            if (matchChar('!')) {
+                if (matchChar('-')) {
+                    if (matchChar('-'))
+                        goto skipline;
+                    ungetChar('-');
+                }
+                ungetChar('!');
            }
-            ungetChar('!');
        }
        if (matchChar('<')) {
            tp->type = matchChar('=') ? TOK_LSHASSIGN : TOK_LSH;
@ -1866,12 +1868,14 @@ TokenStream::getTokenInternal(TokenKind* ttp, Modifier modifier)

      case '-':
        if (matchChar('-')) {
-            int32_t c2;
-            if (!peekChar(&c2))
-                goto error;
+            if (options().allowHTMLComments && !flags.isDirtyLine) {
+                int32_t c2;
+                if (!peekChar(&c2))
+                    goto error;

-            if (c2 == '>' && !flags.isDirtyLine)
-                goto skipline;
+                if (c2 == '>')
+                    goto skipline;
+            }

            tp->type = TOK_DEC;
        } else {
--- a/js/src/jsapi.h
+++ b/js/src/jsapi.h
@ -3854,6 +3854,7 @@ class JS_FRIEND_API(TransitiveCompileOptions)
        forceAsync(false),
        installedFile(false),
        sourceIsLazy(false),
+        allowHTMLComments(true),
        introductionType(nullptr),
        introductionLineno(0),
        introductionOffset(0),
@ -3890,6 +3891,7 @@ class JS_FRIEND_API(TransitiveCompileOptions)
    bool forceAsync;
    bool installedFile;  // 'true' iff pre-compiling js file in packaged app
    bool sourceIsLazy;
+    bool allowHTMLComments;

    // |introductionType| is a statically allocated C string:
    // one of "eval", "Function", or "GeneratorFunction".