Security fix:

The function print_encode() is used both for plain text
and for quoted attribute values.
Escape the '"' character such that malicious manuals cannot pull off
XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe
others) to trigger the latter case.
In the former case, escaping does no harm.
Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.

diff --git a/html.c b/html.c
index b8a4c44512232511cecd99e3a6c262f9d2881c8e..d2b9c3f0406f0e26a90037f2b26b9afe3b562616 100644 (file)
--- a/html.c
+++ b/html.c
@@ -1,4 +1,4 @@
-/*     $Id: html.c,v 1.157 2014/04/23 16:08:33 schwarze Exp $ */
+/*     $Id: html.c,v 1.158 2014/07/22 22:41:35 schwarze Exp $ */
 /*
  * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -330,7 +330,7 @@ print_encode(struct html *h, const char *p, int norecurse)
        int              c, len, nospace;
        const char      *seq;
        enum mandoc_esc  esc;
-       static const char rejs[8] = { '\\', '<', '>', '&',
+       static const char rejs[9] = { '\\', '<', '>', '&', '"',
                ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' };
 
        nospace = 0;
@@ -360,6 +360,9 @@ print_encode(struct html *h, const char *p, int norecurse)
                case '&':
                        printf("&amp;");
                        continue;
+               case '"':
+                       printf("&quot;");
+                       continue;
                case ASCII_NBRSP:
                        putchar('-');
                        continue;