Bug 161409

Summary: [testcase] Konq treats escaped HTML in <title> tag incorrectly
Product: [Applications] konqueror Reporter: Martin Meredith <mez>
Component: generalAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: grave CC: andresbajotierra, lemma
Priority: HI    
Version: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: testcase
testcase
Test case to show this only occurs with &lt!-- in the title tag

Description Martin Meredith 2008-04-29 13:27:42 UTC 
Version:            (using KDE 4.0.3KDE 1.2)
Installed from:    Ubuntu PackagesUbuntu Packages
OS:                Linux

I noticed this come up when a page rendered incorrectly for me in Konqueror for no apparent reason (the page was http://www.vbulletin.com/forum/project.php?issueid=25345)

For some reason - Konqueror is treating &lt;!-- in the title as a comment, removing the rest of the title from display.

If however, somewhere in the rest of the HTML there is a --> - then it will treat any further &lt;!-- in the code as comments ...

A shorter reproduction than the above can be found at http://files.sourceguru.net/konqtestcase.html - compare the Source code to what is actually displayed.
Comment 1 Martin Meredith 2008-04-29 13:28:25 UTC 
This also appears in Konq 3.5.9
Comment 2 Michael Leupold 2008-04-29 13:30:09 UTC 
Confirmed on trunk r802362.
Comment 3 Michael Leupold 2008-04-29 13:31:39 UTC 
Created attachment 24556 [details]
testcase

Uploaded Martin's testcase
Comment 4 Michael Leupold 2008-04-29 13:36:29 UTC 
Created attachment 24557 [details]
testcase

Modified the testcase a little to triage the problem.
Comment 5 Martin Meredith 2008-04-29 13:41:23 UTC 
Created attachment 24558 [details]
Test case to show this only occurs with &lt!-- in the title tag
Comment 6 Michael Leupold 2008-04-29 13:46:12 UTC 
*** Bug 160464 has been marked as a duplicate of this bug. ***
Comment 7 Michael Leupold 2008-04-29 13:47:04 UTC 
also see http://bugs.kde.org/show_bug.cgi?id=83284 for a page that doesn't display nicely.
Comment 8 Martin Meredith 2008-04-29 13:49:53 UTC 
This also creates security issues, as any &lt; or &gt; in the rest of the page get interpreted literally. For example

&lt;script&gt;alert(document.cookie);&lt;/script&gt;

Will be interpreted as

<script>alert(document.cookie)</script>
Comment 9 Martin Meredith 2008-04-29 14:16:44 UTC 
changed priority to high as this could cause major security issues.
Comment 10 Casey Link 2008-06-01 09:32:40 UTC 
I could reproduce this bug with these testcases
http://bugs.kde.org/show_bug.cgi?id=83284
http://bugs.kde.org/attachment.cgi?id=24557&action=view


This testcase passed (did not display the bug):
http://bugs.kde.org/attachment.cgi?id=24558&action=view

using trunk r814918
Comment 11 Dario Andres 2008-12-21 22:04:38 UTC 
Still valid in current trunk :

Qt: 4.4.3
KDE: 4.1.85 (KDE 4.1.85 (KDE 4.2 Beta2))
kdelibs svn rev. 899634 / kdebase svn rev. 899635
on ArchLinux x86_64 - Kernel 2.6.27.8
Comment 12 Jaime Torres 2009-12-15 21:34:50 UTC 
SVN commit 1062741 by jtamate:

BUG: 83284
BUG: 161409

&lt;-- is no longer a comment start.

http://reviewboard.kde.org/r/2358/

 M  +1 -1      htmltokenizer.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1062741
Comment 13 Germain Garand 2010-01-06 05:55:40 UTC 
SVN commit 1070587 by ggarand:

change r1062741 to rather skip comment detection in |title| altogether,
in order to avoid some regressions in |script| tag parsing.

This should be functionally equivalent (see comments on #83284)
and is actually closer to the behaviour of Gecko.

CCBUG: 83284
CCBUG: 161409

 M  +1 -1      htmltokenizer.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1070587