problem with EnsureClr() in ExecutionVisitor

Nov 11, 2010 at 8:08 PM

I set AllowClr=false on my JintEngine. This is fine, except that if you have the 'statement' a.b; (i.e. mispell something in your script). Then you receive a permission exception saying 'use of the clr is not allowed'.

This is coming from ExecutionVisitor.cs:

        public void Visit(MemberExpression expression) {
            if (expression.Previous != null) {
                // the previous part is an property, it will set a callTarget


            // Try to evaluate a CLR type
            if (Result == JsUndefined.Instance && typeFullname.Length > 0) {

                Type type = typeResolver.ResolveType(typeFullname.ToString());

                if (type != null) {
                    Result = Global.WrapClr(type);
                    typeFullname = new StringBuilder();

I think this call to EnsureClrAllowed() should be rewritten as: if (AllowClr) { ...resolve the type... }

I don't think that accidentally mistyping an object name should result in a permission exception....

This is really biting me because I have defined an object model which is implemented as classes which subclass JsObject. I inject a property into the global scope and that object has its own properties, etc. I explicitly turn off AllowClr so that users cannot escape into the .NET Framework. However, if I happen to mistype an object path then I get a clr not allowed exception. And because it is a SecurityException I have no way to know where the error occured in the source.