summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@openbsd.org>2014-07-22 22:41:35 +0000
committerIngo Schwarze <schwarze@openbsd.org>2014-07-22 22:41:35 +0000
commit3d2eb53149ca24b5957180553ec66503bbcd3e7b (patch)
tree8712883eef040cdf5086ab3918c6aea131849e1c
parent65cb0941933336f1e6502825398c255d1c4d858e (diff)
downloadmandoc-3d2eb53149ca24b5957180553ec66503bbcd3e7b.tar.gz
Security fix:
The function print_encode() is used both for plain text and for quoted attribute values. Escape the '"' character such that malicious manuals cannot pull off XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe others) to trigger the latter case. In the former case, escaping does no harm. Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
-rw-r--r--html.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/html.c b/html.c
index 1e7a88db..d4f2a057 100644
--- a/html.c
+++ b/html.c
@@ -330,7 +330,7 @@ print_encode(struct html *h, const char *p, int norecurse)
int c, len, nospace;
const char *seq;
enum mandoc_esc esc;
- static const char rejs[8] = { '\\', '<', '>', '&',
+ static const char rejs[9] = { '\\', '<', '>', '&', '"',
ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' };
nospace = 0;
@@ -360,6 +360,9 @@ print_encode(struct html *h, const char *p, int norecurse)
case '&':
printf("&amp;");
continue;
+ case '"':
+ printf("&quot;");
+ continue;
case ASCII_NBRSP:
putchar('-');
continue;