summaryrefslogtreecommitdiffstats
path: root/config.h.post
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@openbsd.org>2014-07-22 22:41:35 +0000
committerIngo Schwarze <schwarze@openbsd.org>2014-07-22 22:41:35 +0000
commit3d2eb53149ca24b5957180553ec66503bbcd3e7b (patch)
tree8712883eef040cdf5086ab3918c6aea131849e1c /config.h.post
parent65cb0941933336f1e6502825398c255d1c4d858e (diff)
downloadmandoc-3d2eb53149ca24b5957180553ec66503bbcd3e7b.tar.gz
Security fix:
The function print_encode() is used both for plain text and for quoted attribute values. Escape the '"' character such that malicious manuals cannot pull off XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe others) to trigger the latter case. In the former case, escaping does no harm. Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
Diffstat (limited to 'config.h.post')
0 files changed, 0 insertions, 0 deletions