From 5958bb58d226401788b8cb09c2a2b93dc28de2d5 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Tue, 22 Jul 2014 22:41:35 +0000
Subject: Security fix: The function print_encode() is used both for plain text
 and for quoted attribute values. Escape the '"' character such that malicious
 manuals cannot pull off XSS attacks using malformed .Lk, .Mt, .%U, and .UR
 macros (and maybe others) to trigger the latter case. In the former case,
 escaping does no harm. Issue found by Sebastien Marie <semarie-openbsd at
 latrappe dot fr>.

---
 html.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'html.c')

diff --git a/html.c b/html.c
index b8a4c445..d2b9c3f0 100644
--- a/html.c
+++ b/html.c
@@ -1,4 +1,4 @@
-/*	$Id: html.c,v 1.157 2014/04/23 16:08:33 schwarze Exp $ */
+/*	$Id: html.c,v 1.158 2014/07/22 22:41:35 schwarze Exp $ */
 /*
  * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -330,7 +330,7 @@ print_encode(struct html *h, const char *p, int norecurse)
 	int		 c, len, nospace;
 	const char	*seq;
 	enum mandoc_esc	 esc;
-	static const char rejs[8] = { '\\', '<', '>', '&',
+	static const char rejs[9] = { '\\', '<', '>', '&', '"',
 		ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' };
 
 	nospace = 0;
@@ -360,6 +360,9 @@ print_encode(struct html *h, const char *p, int norecurse)
 		case '&':
 			printf("&amp;");
 			continue;
+		case '"':
+			printf("&quot;");
+			continue;
 		case ASCII_NBRSP:
 			putchar('-');
 			continue;
-- 
cgit v1.2.3