fix($parse): check function call context to be safe

Closes #4417
angular · Oct 15, 2013 · 6d324c7 · 6d324c7
1 parent 3aefd3a
commit 6d324c7
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/src/ng/parse.js b/src/ng/parse.js
@@ -754,6 +754,7 @@ Parser.prototype = {
  }
  var fnPtr = fn(scope, locals, context) || noop;
 
+ ensureSafeObject(context, parser.text);
  ensureSafeObject(fnPtr, parser.text);
 
  // IE stupidity! (IE doesn't have apply for some native functions)

diff --git a/test/ng/parseSpec.js b/test/ng/parseSpec.js
@@ -730,6 +730,20 @@ describe('parser', function() {
  '$parse', 'isecdom', 'Referencing DOM nodes in Angular expressions is ' +
  'disallowed! Expression: getDoc()');
  }));
+
+ it('should NOT allow calling functions on Window or DOM', inject(function($window, $document) {
+ scope.a = {b: { win: $window, doc: $document }};
+ expect(function() {
+ scope.$eval('a.b.win.alert(1)', scope);
+ }).toThrowMinErr(
+ '$parse', 'isecwindow', 'Referencing the Window in Angular expressions is ' +
+ 'disallowed! Expression: a.b.win.alert(1)');
+ expect(function() {
+ scope.$eval('a.b.doc.on("click")', scope);
+ }).toThrowMinErr(
+ '$parse', 'isecdom', 'Referencing DOM nodes in Angular expressions is ' +
+ 'disallowed! Expression: a.b.doc.on("click")');
+ }));
  });
  });