File CVE-2007-0537.diff of Package kdelibs3

------------------------------------------------------------------------
r626791 | mueller | 2007-01-24 17:15:54 +0100 (Wed, 24 Jan 2007) | 10 lines

fix javascript insertion in <title> tags as described in:
http://www.securityfocus.com/archive/1/457763/30/30/threaded

basically, we want to parse comments in titles, to avoid capturing
a <script> tag by accident. Easy fix.

Testcase:
<title>myblog<!--</title></head><body><script
src=http://beanfuzz.com/bean.js> --></title>

------------------------------------------------------------------------
Index: khtml/html/htmltokenizer.cpp
===================================================================
--- khtml/html/htmltokenizer.cpp	(revision 626790)
+++ khtml/html/htmltokenizer.cpp	(revision 626791)
@@ -316,7 +316,7 @@ void HTMLTokenizer::parseSpecial(Tokeniz
     while ( !src.isEmpty() ) {
         checkScriptBuffer();
         unsigned char ch = src->latin1();
-        if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && !title && ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) {
+        if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) {
             comment = true;
             scriptCode[ scriptCodeSize++ ] = ch;
             ++src;
@@ -495,7 +495,7 @@ void HTMLTokenizer::parseComment(Tokeniz
 
             if (canClose || handleBrokenComments || scriptEnd ){
                 ++src;
-                if ( !( script || xmp || textarea || style) ) {
+                if ( !( title || script || xmp || textarea || style) ) {
 #ifdef COMMENTS_IN_DOM
                     checkScriptBuffer();
                     scriptCode[ scriptCodeSize ] = 0;