--- kdelibs-3.5.4/khtml/css/css_valueimpl.cpp.CVE-2009-1698 2009-06-18 10:59:23.000000000 +0200 +++ kdelibs-3.5.4/khtml/css/css_valueimpl.cpp 2009-06-18 12:53:44.000000000 +0200 @@ -736,7 +736,9 @@ text = getValueName(m_value.ident); break; case CSSPrimitiveValue::CSS_ATTR: - // ### + text = "attr("; + text += DOMString( m_value.string ); + text += ")"; break; case CSSPrimitiveValue::CSS_COUNTER: text = "counter("; --- kdelibs-3.5.4/khtml/css/cssparser.cpp.CVE-2009-1698 2009-06-18 10:37:13.000000000 +0200 +++ kdelibs-3.5.4/khtml/css/cssparser.cpp 2009-06-23 13:05:20.000000000 +0200 @@ -1318,6 +1318,7 @@ Value *val; CSSValueImpl *parsedValue = 0; + bool valid = true; while ( (val = valueList->current()) ) { if ( val->unit == CSSPrimitiveValue::CSS_URI ) { // url @@ -1336,6 +1337,14 @@ if ( args->size() != 1) return false; Value *a = args->current(); + if (a->unit != CSSPrimitiveValue::CSS_IDENT) { + valid=false; + break; + } + if (qString(a->string)[0] == '-') { + valid=false; + break; + } parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR); } else @@ -1367,7 +1376,7 @@ break; valueList->next(); } - if ( values->length() ) { + if ( valid && values->length() ) { addProperty( propId, values, important ); valueList->next(); return true; @@ -1384,7 +1393,8 @@ CounterImpl *counter = new CounterImpl; Value *i = args->current(); -// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid; + if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid; + if (qString(i->string)[0] == '-') goto invalid; counter->m_identifier = domString(i->string); if (counters) { i = args->next();