Bug 832435 - Fix compartment handling for EvaluteString and javascript: uris. r=bzbarsky

browser/base/content/test/Makefile.in

@@ -165,6 +165,7 @@ _BROWSER_FILES = \
                  browser_bug749738.js \
                  browser_bug783614.js \
                  browser_bug797677.js \
+                 browser_bug832435.js \
                  browser_canonizeURL.js \
                  browser_customize.js \
                  browser_findbarClose.js \

browser/base/content/test/browser_bug832435.js

@@ -0,0 +1,19 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+function test() {
+  waitForExplicitFinish();
+  ok(true, "Starting up");
+
+  gBrowser.selectedBrowser.focus();
+  gURLBar.addEventListener("focus", function onFocus() {
+    gURLBar.removeEventListener("focus", onFocus);
+    ok(true, "Invoked onfocus handler");
+    EventUtils.synthesizeKey("VK_RETURN", { shiftKey: true });
+    ok(true, "Evaluated without crashing");
+    finish();
+  });
+  gURLBar.inputField.value = "javascript: document.body.innerHTML = '11111111'); ";
+  gURLBar.focus();
+}

dom/base/nsJSEnvironment.cpp

@@ -1293,6 +1293,9 @@ nsJSContext::EvaluateString(const nsAString& aScript,
   pusher.Pop();
   ScriptEvaluated(true);
 
+  // Wrap the return value into whatever compartment mContext was in.
+  if (!JS_WrapValue(mContext, aRetValue))
+    return NS_ERROR_OUT_OF_MEMORY;
   return NS_OK;
 }
 

dom/src/jsurl/nsJSProtocolHandler.cpp

@@ -340,6 +340,12 @@ nsresult nsJSThunk::EvaluateScript(nsIChannel *aChannel,
         ::JS_ReportPendingException(cx);
     }
 
+    // If we took the sandbox path above, v might be in the sandbox
+    // compartment.
+    if (!JS_WrapValue(cx, &v)) {
+        return NS_ERROR_OUT_OF_MEMORY;
+    }
+
     if (NS_FAILED(rv)) {
         rv = NS_ERROR_MALFORMED_URI;
     }