diff -ur kdelibs-3.5.10/khtml/css/cssparser.cpp kdelibs-3.5.10-cve-2009-1698/khtml/css/cssparser.cpp

--- kdelibs-3.5.10/khtml/css/cssparser.cpp	2007-01-15 12:34:04.000000000 +0100

+++ kdelibs-3.5.10-cve-2009-1698/khtml/css/cssparser.cpp	2009-07-26 05:46:39.000000000 +0200

@@ -1344,6 +1344,14 @@

                 if ( args->size() != 1)

                     return false;

                 Value *a = args->current();

+                if (a->unit != CSSPrimitiveValue::CSS_IDENT) {

+                    isValid=false;

+                    break;

+                }

+                if (qString(a->string)[0] == '-') {

+                    isValid=false;

+                    break;

+                }

                 parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);

             }

             else

@@ -1396,7 +1404,8 @@

     CounterImpl *counter = new CounterImpl;

     Value *i = args->current();

-//    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;

+    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;

+    if (qString(i->string)[0] == '-') goto invalid;

     counter->m_identifier = domString(i->string);

     if (counters) {

         i = args->next();

diff -ur kdelibs-3.5.10/khtml/css/css_valueimpl.cpp kdelibs-3.5.10-cve-2009-1698/khtml/css/css_valueimpl.cpp

--- kdelibs-3.5.10/khtml/css/css_valueimpl.cpp	2006-07-22 10:16:49.000000000 +0200

+++ kdelibs-3.5.10-cve-2009-1698/khtml/css/css_valueimpl.cpp	2009-07-26 05:45:36.000000000 +0200

@@ -736,7 +736,9 @@

 	    text = getValueName(m_value.ident);

 	    break;

 	case CSSPrimitiveValue::CSS_ATTR:

-	    // ###

+            text = "attr(";

+            text += DOMString( m_value.string );

+            text += ")";

 	    break;

 	case CSSPrimitiveValue::CSS_COUNTER:

             text = "counter(";