From 33e60e8e78543462d31e8c6a7c3577ffe18b6647 Mon Sep 17 00:00:00 2001 From: tpearson Date: Wed, 29 Sep 2010 05:15:51 +0000 Subject: Critical security patches for the following vulnerabilities: CVE-2009-0689 CVE-2009-1687 CVE-2009-1690 CVE-2009-1698 CVE-2009-2702 git-svn-id: svn://anonsvn.kde.org/home/kde/branches/trinity/kdelibs@1180823 283d02a7-25f6-0310-bc7c-ecb5cbfe19da --- khtml/css/css_valueimpl.cpp | 4 +++- khtml/css/cssparser.cpp | 11 ++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) (limited to 'khtml/css') diff --git a/khtml/css/css_valueimpl.cpp b/khtml/css/css_valueimpl.cpp index 73a53d5d2..52e962725 100644 --- a/khtml/css/css_valueimpl.cpp +++ b/khtml/css/css_valueimpl.cpp @@ -736,7 +736,9 @@ DOM::DOMString CSSPrimitiveValueImpl::cssText() const text = getValueName(m_value.ident); break; case CSSPrimitiveValue::CSS_ATTR: - // ### + text = "attr("; + text += DOMString( m_value.string ); + text += ")"; break; case CSSPrimitiveValue::CSS_COUNTER: text = "counter("; diff --git a/khtml/css/cssparser.cpp b/khtml/css/cssparser.cpp index 23eeb69a9..d167af025 100644 --- a/khtml/css/cssparser.cpp +++ b/khtml/css/cssparser.cpp @@ -1351,6 +1351,14 @@ bool CSSParser::parseContent( int propId, bool important ) if ( args->size() != 1) return false; Value *a = args->current(); + if (a->unit != CSSPrimitiveValue::CSS_IDENT) { + isValid=false; + break; + } + if (qString(a->string)[0] == '-') { + isValid=false; + break; + } parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR); } else @@ -1403,7 +1411,8 @@ CSSValueImpl* CSSParser::parseCounterContent(ValueList *args, bool counters) CounterImpl *counter = new CounterImpl; Value *i = args->current(); -// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid; + if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid; + if (qString(i->string)[0] == '-') goto invalid; counter->m_identifier = domString(i->string); if (counters) { i = args->next(); -- cgit v1.2.1