The Tor Browser / file comparison
comparison: js/xpconnect/crashtests/509075-1.html
js/xpconnect/crashtests/509075-1.html
- changeset 0
- 6474c204b198
equal
deleted
inserted
replaced
| -1:000000000000 | 0:7d0ce5633d3b |
|---|---|
| 1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> | |
| 2 <html> | |
| 3 <script> | |
| 4 | |
| 5 var txt = document.createTextNode(""); | |
| 6 var b = document.createElement("b"); | |
| 7 var w = b["watch"]; | |
| 8 var txtdg = txt["__lookupGetter__"]; | |
| 9 w["__defineGetter__"]("toString",txtdg); | |
| 10 var obj = { | |
| 11 variable: 910, | |
| 12 fun: function() { | |
| 13 w["toString"](); | |
| 14 } | |
| 15 }; | |
| 16 | |
| 17 function vuln() | |
| 18 { | |
| 19 window.status = "" + obj.variable; | |
| 20 try{ | |
| 21 obj.fun(); | |
| 22 }catch(er){} | |
| 23 return obj; | |
| 24 } | |
| 25 | |
| 26 var ret = vuln(); | |
| 27 </script> | |
| 28 </html> |
