Fix 'combo breaker' in CreateDynamicFunction to handle template literals.

BUG=chromium:663410 Review-Url: https://codereview.chromium.org/2533463002 Cr-Commit-Position: refs/heads/master@{#41320}
2016-11-28 06:43:35 -08:00 · 2016-11-28 06:43:35 -08:00 · e0d608a2b1
commit e0d608a2b1
parent 54aac1f778
2 changed files with 9 additions and 1 deletions
--- a/src/builtins/builtins-function.cc
+++ b/src/builtins/builtins-function.cc
@ -61,7 +61,7 @@ MaybeHandle<Object> CreateDynamicFunction(Isolate* isolate,
      // If the formal parameters include an unbalanced block comment, the
      // function must be rejected. Since JavaScript does not allow nested
      // comments we can include a trailing block comment to catch this.
-      builder.AppendCString("\n/**/");
+      builder.AppendCString("\n/*``*/");
    }
    builder.AppendCString(") {\n");
    if (argc > 0) {
--- a/test/mjsunit/regress-crbug-663410.js
+++ b/test/mjsunit/regress-crbug-663410.js
@ -0,0 +1,8 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function alert(x) {};
+assertThrows(
+  Function("a=`","`,xss=1){alert(xss)")
+);