diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2014-07-22 22:41:35 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-07-22 22:41:35 +0000 |
commit | 3d2eb53149ca24b5957180553ec66503bbcd3e7b (patch) | |
tree | 8712883eef040cdf5086ab3918c6aea131849e1c | |
parent | 65cb0941933336f1e6502825398c255d1c4d858e (diff) | |
download | mandoc-3d2eb53149ca24b5957180553ec66503bbcd3e7b.tar.gz |
Security fix:
The function print_encode() is used both for plain text
and for quoted attribute values.
Escape the '"' character such that malicious manuals cannot pull off
XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe
others) to trigger the latter case.
In the former case, escaping does no harm.
Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
-rw-r--r-- | html.c | 5 |
1 files changed, 4 insertions, 1 deletions
@@ -330,7 +330,7 @@ print_encode(struct html *h, const char *p, int norecurse) int c, len, nospace; const char *seq; enum mandoc_esc esc; - static const char rejs[8] = { '\\', '<', '>', '&', + static const char rejs[9] = { '\\', '<', '>', '&', '"', ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' }; nospace = 0; @@ -360,6 +360,9 @@ print_encode(struct html *h, const char *p, int norecurse) case '&': printf("&"); continue; + case '"': + printf("""); + continue; case ASCII_NBRSP: putchar('-'); continue; |