diff --git a/src/ng/parse.js b/src/ng/parse.js index 01df46857069..9bcd1161cb16 100644 --- a/src/ng/parse.js +++ b/src/ng/parse.js @@ -988,6 +988,9 @@ ASTCompiler.prototype = { intoId = intoId || this.nextId(); self.recurse(ast.object, left, undefined, function() { self.if_(self.notNull(left), function() { + if (create && create !== 1) { + self.addEnsureSafeAssignContext(left); + } if (ast.computed) { right = self.nextId(); self.recurse(ast.property, right); @@ -1602,8 +1605,11 @@ ASTInterpreter.prototype = { rhs = right(scope, locals, assign, inputs); rhs = getStringValue(rhs); ensureSafeMemberName(rhs, expression); - if (create && create !== 1 && lhs && !(lhs[rhs])) { - lhs[rhs] = {}; + if (create && create !== 1) { + ensureSafeAssignContext(lhs); + if (lhs && !(lhs[rhs])) { + lhs[rhs] = {}; + } } value = lhs[rhs]; ensureSafeObject(value, expression); @@ -1618,8 +1624,11 @@ ASTInterpreter.prototype = { nonComputedMember: function(left, right, expensiveChecks, context, create, expression) { return function(scope, locals, assign, inputs) { var lhs = left(scope, locals, assign, inputs); - if (create && create !== 1 && lhs && !(lhs[right])) { - lhs[right] = {}; + if (create && create !== 1) { + ensureSafeAssignContext(lhs); + if (lhs && !(lhs[right])) { + lhs[right] = {}; + } } var value = lhs != null ? lhs[right] : undefined; if (expensiveChecks || isPossiblyDangerousMemberName(right)) { diff --git a/test/ng/parseSpec.js b/test/ng/parseSpec.js index 82c6223e86ae..9eee8fbebecf 100644 --- a/test/ng/parseSpec.js +++ b/test/ng/parseSpec.js @@ -2740,6 +2740,9 @@ describe('parser', function() { expect(function() { scope.$eval("objConstructor = {}.constructor; objConstructor.join = ''"); }).toThrow(); + expect(function() { + scope.$eval("'a'.constructor.prototype.charAt=[].join"); + }).toThrow(); }); });