]> git.cameronkatri.com Git - mandoc.git/commit
git.ckatri.com / mandoc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5958bb5) | patch
Security fix:
authorIngo Schwarze <schwarze@openbsd.org>
Wed, 23 Jul 2014 15:00:08 +0000 (15:00 +0000)
committerIngo Schwarze <schwarze@openbsd.org>
Wed, 23 Jul 2014 15:00:08 +0000 (15:00 +0000)
commit6f5332923fc94cad0bee91d0c1fa8be521828d5c
tree2e8849fe31297bf03a63cdfed8e5a75d1c933097tree | snapshot
parent5958bb58d226401788b8cb09c2a2b93dc28de2d5commit | diff
Security fix:
After decoding numeric (\N) and one-character (\<, \> etc.)
character escape sequences, do not forget to HTML-encode the
resulting ASCII character.  Malicious manuals were able to smuggle
XSS content by roff-escaping the HTML-special characters they need.
That's a classic bug type in many web applications, actually...  :-(

Found myself while auditing the HTML formatter for safe output handling.
chars.c diff | blob | history
html.c diff | blob | history
A git conversion mirror of mandoc.bsd.lv