Security fix:

The function print_encode() is used both for plain text and for quoted attribute values. Escape the '"' character such that malicious manuals cannot pull off XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe others) to trigger the latter case. In the former case, escaping does no harm. Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
author: Ingo Schwarze <schwarze@openbsd.org> 2014-07-22 22:41:35 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2014-07-22 22:41:35 +0000
commit: 3d2eb53149ca24b5957180553ec66503bbcd3e7b (patch)
tree: 8712883eef040cdf5086ab3918c6aea131849e1c /html.c
parent: 65cb0941933336f1e6502825398c255d1c4d858e (diff)
download: mandoc-3d2eb53149ca24b5957180553ec66503bbcd3e7b.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/html.c b/html.c
index 1e7a88db..d4f2a057 100644
--- a/html.c
+++ b/html.c
@@ -330,7 +330,7 @@ print_encode(struct html *h, const char *p, int norecurse)
 	int		 c, len, nospace;
 	const char	*seq;
 	enum mandoc_esc	 esc;
-	static const char rejs[8] = { '\\', '<', '>', '&',
+	static const char rejs[9] = { '\\', '<', '>', '&', '"',
 		ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' };
 
 	nospace = 0;
@@ -360,6 +360,9 @@ print_encode(struct html *h, const char *p, int norecurse)
 		case '&':
 			printf("&amp;");
 			continue;
+		case '"':
+			printf("&quot;");
+			continue;
 		case ASCII_NBRSP:
 			putchar('-');
 			continue;
author	Ingo Schwarze <schwarze@openbsd.org>	2014-07-22 22:41:35 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2014-07-22 22:41:35 +0000
commit	3d2eb53149ca24b5957180553ec66503bbcd3e7b (patch)
tree	8712883eef040cdf5086ab3918c6aea131849e1c /html.c
parent	65cb0941933336f1e6502825398c255d1c4d858e (diff)
download	mandoc-3d2eb53149ca24b5957180553ec66503bbcd3e7b.tar.gz