From 775753c3d738b50c3d02c18f0e48cd55ee258385 Mon Sep 17 00:00:00 2001 From: Kevin Sawicki Date: Tue, 25 Apr 2017 14:48:01 -0700 Subject: [PATCH 1/2] Add spec for invalid window.history.go offset --- spec/chromium-spec.js | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/spec/chromium-spec.js b/spec/chromium-spec.js index 700983bb5ae9..d5d1b3f4782a 100644 --- a/spec/chromium-spec.js +++ b/spec/chromium-spec.js @@ -989,4 +989,12 @@ describe('chromium feature', function () { }, /Cannot convert object to primitive value/) }) }) + + describe('window.history.go(offset)', function () { + it('throws an exception when the argumnet cannot be converted to a string', function () { + assert.throws(function () { + window.history.go({toString: null}) + }, /Cannot convert object to primitive value/) + }) + }) }) From 95ef422ab4c350c089ecc4f8fbce24b97c958f19 Mon Sep 17 00:00:00 2001 From: Kevin Sawicki Date: Tue, 25 Apr 2017 14:49:14 -0700 Subject: [PATCH 2/2] Coerce offset to number in renderer process --- lib/renderer/window-setup.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/renderer/window-setup.js b/lib/renderer/window-setup.js index 5ccb6fec463d..99f7aef54237 100644 --- a/lib/renderer/window-setup.js +++ b/lib/renderer/window-setup.js @@ -164,7 +164,7 @@ module.exports = (ipcRenderer, guestInstanceId, openerId, hiddenPage) => { } window.history.go = function (offset) { - sendHistoryOperation(ipcRenderer, 'goToOffset', offset) + sendHistoryOperation(ipcRenderer, 'goToOffset', +offset) } defineProperty(window.history, 'length', {