DevTools: Sanitize objects being serialized so that prototype.js did not affect JSON.stringify.

BUG=19850

Review URL: http://codereview.chromium.org/160098

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@24440 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 21 insertions, 2 deletions

diff --git a/webkit/glue/devtools/js/inject_dispatch.js b/webkit/glue/devtools/js/inject_dispatch.js
index 9cc68f7..4b8ec04 100644
--- a/webkit/glue/devtools/js/inject_dispatch.js
+++ b/webkit/glue/devtools/js/inject_dispatch.js
@@ -28,7 +28,25 @@ function devtools$$dispatch(functionName, json_args) {
   var params = JSON.parse(json_args);
   var result = devtools$$obj[functionName].apply(devtools$$obj, params);
   return JSON.stringify(result);
-};
+}
+
+
+/**
+ * Removes malicious functions from the objects so that the pure JSON.stringify
+ * was used.
+ */
+function sanitizeJson(obj) {
+  for (var name in obj) {
+    var property = obj[name];
+    var type = typeof property;
+    if (type === "function") {
+      obj[name] = null;
+    } else if (obj !== null && type === "object") {
+      sanitizeJson(property);
+    }
+  }
+  return obj;
+}
 
 
 /**
@@ -48,6 +66,7 @@ var dispatch = function(method, var_args) {
     // parameters.
     return;
   }
-  var call = JSON.stringify(args);
+
+  var call = JSON.stringify(sanitizeJson(args));
   DevToolsAgentHost.dispatch(call);
 };