From kde-commits  Wed Jan 24 16:15:55 2007
From: Dirk Mueller <mueller () kde ! org>
Date: Wed, 24 Jan 2007 16:15:55 +0000
To: kde-commits
Subject: branches/KDE/3.5/kdelibs/khtml/html
Message-Id: <1169655355.952280.32313.nullmailer () svn ! kde ! org>
X-MARC-Message: https://marc.info/?l=kde-commits&m=116965542816464

SVN commit 626791 by mueller:

fix javascript insertion in <title> tags as described in:
http://www.securityfocus.com/archive/1/457763/30/30/threaded

basically, we want to parse comments in titles, to avoid capturing
a <script> tag by accident. Easy fix.

Testcase:
<title>myblog<!--</title></head><body><script
src=http://beanfuzz.com/bean.js> --></title>


 M  +2 -2      htmltokenizer.cpp  


--- branches/KDE/3.5/kdelibs/khtml/html/htmltokenizer.cpp #626790:626791
@@ -316,7 +316,7 @@
     while ( !src.isEmpty() ) {
         checkScriptBuffer();
         unsigned char ch = src->latin1();
-        if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && !title && ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) {
+        if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) {
             comment = true;
             scriptCode[ scriptCodeSize++ ] = ch;
             ++src;
@@ -495,7 +495,7 @@
 
             if (canClose || handleBrokenComments || scriptEnd ){
                 ++src;
-                if ( !( script || xmp || textarea || style) ) {
+                if ( !( title || script || xmp || textarea || style) ) {
 #ifdef COMMENTS_IN_DOM
                     checkScriptBuffer();
                     scriptCode[ scriptCodeSize ] = 0;