]> git.cameronkatri.com Git - mandoc.git/commit
git.ckatri.com / mandoc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b60b236) | patch
Security fix:
authorIngo Schwarze <schwarze@openbsd.org>
Tue, 22 Jul 2014 22:41:35 +0000 (22:41 +0000)
committerIngo Schwarze <schwarze@openbsd.org>
Tue, 22 Jul 2014 22:41:35 +0000 (22:41 +0000)
commit5958bb58d226401788b8cb09c2a2b93dc28de2d5
treee6da696f7062c9f6bc6dffed91a0cb7b3cc5daf3tree | snapshot
parentb60b23600ca14efd4017a9f23b6e2044118a886ccommit | diff
Security fix:
The function print_encode() is used both for plain text
and for quoted attribute values.
Escape the '"' character such that malicious manuals cannot pull off
XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe
others) to trigger the latter case.
In the former case, escaping does no harm.
Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
html.c diff | blob | history
A git conversion mirror of mandoc.bsd.lv