[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: branches/KDE/3.5/kdelibs/khtml/html
From: Dirk Mueller <mueller () kde ! org>
Date: 2007-01-24 16:15:55
Message-ID: 1169655355.952280.32313.nullmailer () svn ! kde ! org
[Download RAW message or body]
SVN commit 626791 by mueller:
fix javascript insertion in <title> tags as described in:
http://www.securityfocus.com/archive/1/457763/30/30/threaded
basically, we want to parse comments in titles, to avoid capturing
a <script> tag by accident. Easy fix.
Testcase:
<title>myblog<!--</title></head><body><script
src=http://beanfuzz.com/bean.js> --></title>
M +2 -2 htmltokenizer.cpp
--- branches/KDE/3.5/kdelibs/khtml/html/htmltokenizer.cpp #626790:626791
@@ -316,7 +316,7 @@
while ( !src.isEmpty() ) {
checkScriptBuffer();
unsigned char ch = src->latin1();
- if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && !title && \
ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( \
scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) { + if ( \
!scriptCodeResync && !brokenComments && !textarea && !xmp && ch == '-' && \
scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 \
).string() == "<!-" ) { comment = true;
scriptCode[ scriptCodeSize++ ] = ch;
++src;
@@ -495,7 +495,7 @@
if (canClose || handleBrokenComments || scriptEnd ){
++src;
- if ( !( script || xmp || textarea || style) ) {
+ if ( !( title || script || xmp || textarea || style) ) {
#ifdef COMMENTS_IN_DOM
checkScriptBuffer();
scriptCode[ scriptCodeSize ] = 0;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic