Closed Bug 1650518 Opened 5 years ago Closed 3 years ago

Invalid String.prototype.replace with string search value: "a>".replace(/>/, "$+") returns "a"

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
93 Branch
Tracking Flags:
Tracking Status
firefox93 --- fixed

People

(Reporter: 1059252359, Assigned: evilpies)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1650518 - Remove the non-standard String.prototype.replace extension $+. r?jandem
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

var NISLFuzzingFunc = function(e,nislMutationParameter0){
return e.replace(/>/,nislMutationParameter0);
};
var NISLParameter0 = 'a>';
var nislMutationArgument0 = '$+';
var NISLCallingResult = NISLFuzzingFunc(NISLParameter0,nislMutationArgument0);
print(NISLCallingResult);

Actual results:

The output is "a".

Expected results:

The above program should output "a$+".

Component: Untriaged → JavaScript Engine
Flags: needinfo?(iireland)
Product: Firefox → Core
Version: 69 Branch → unspecified

I think the '$' character needs to be escaped with $.
"a>".replace(/>/, "$$+")

Should we just remove this non-standard extension? It's not even in the MDN docs.

It doesn't seem worth the (probably small, but still) web compat risk.

Flags: needinfo?(jorendorff)
Flags: needinfo?(iireland)
Flags: needinfo?(andrebargull)
Blocks: 1103158

We could try to remove this by starting to warn about it. I don't expect any web-sites issues, because we're the only browser supporting this extension, but addons could be affected.

Flags: needinfo?(andrebargull)

I vote we just remove it. I'd be surprised if any addons are using this.

RegExp.lastParen and RegExp['$+'] are also nonstandard but documented and widely implemented. They work in Chrome. They can't be removed.

Flags: needinfo?(jorendorff)
Severity: -- → S3
Priority: -- → P3

(In reply to Jason Orendorff [:jorendorff] from comment #5)

RegExp.lastParen and RegExp['$+'] are also nonstandard but documented and widely implemented. They work in Chrome. They can't be removed.

https://github.com/tc39/proposal-regexp-legacy-features, but that proposal isn't super active.

Assignee: nobody → evilpies

I agree with Jason from a year ago, just removing this is hopefully fine. Most programs probably won't have catastrophic failures with some unreplaced string.

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/autoland/rev/7b4e64801efa Remove the non-standard String.prototype.replace extension $+. r=jandem

https://hg.mozilla.org/mozilla-central/rev/7b4e64801efa

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox93: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: