From 3d2eb53149ca24b5957180553ec66503bbcd3e7b Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Tue, 22 Jul 2014 22:41:35 +0000
Subject: Security fix: The function print_encode() is used both for plain text
 and for quoted attribute values. Escape the '"' character such that malicious
 manuals cannot pull off XSS attacks using malformed .Lk, .Mt, .%U, and .UR
 macros (and maybe others) to trigger the latter case. In the former case,
 escaping does no harm. Issue found by Sebastien Marie <semarie-openbsd at
 latrappe dot fr>.

---
 html.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'html.c')

diff --git a/html.c b/html.c
index 1e7a88db..d4f2a057 100644
--- a/html.c
+++ b/html.c
@@ -330,7 +330,7 @@ print_encode(struct html *h, const char *p, int norecurse)
 	int		 c, len, nospace;
 	const char	*seq;
 	enum mandoc_esc	 esc;
-	static const char rejs[8] = { '\\', '<', '>', '&',
+	static const char rejs[9] = { '\\', '<', '>', '&', '"',
 		ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' };
 
 	nospace = 0;
@@ -360,6 +360,9 @@ print_encode(struct html *h, const char *p, int norecurse)
 		case '&':
 			printf("&amp;");
 			continue;
+		case '"':
+			printf("&quot;");
+			continue;
 		case ASCII_NBRSP:
 			putchar('-');
 			continue;
-- 
cgit