diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2014-07-22 22:41:35 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-07-22 22:41:35 +0000 |
commit | 5958bb58d226401788b8cb09c2a2b93dc28de2d5 (patch) | |
tree | e6da696f7062c9f6bc6dffed91a0cb7b3cc5daf3 /html.c | |
parent | b60b23600ca14efd4017a9f23b6e2044118a886c (diff) | |
download | mandoc-5958bb58d226401788b8cb09c2a2b93dc28de2d5.tar.gz mandoc-5958bb58d226401788b8cb09c2a2b93dc28de2d5.tar.zst mandoc-5958bb58d226401788b8cb09c2a2b93dc28de2d5.zip |
Security fix:
The function print_encode() is used both for plain text
and for quoted attribute values.
Escape the '"' character such that malicious manuals cannot pull off
XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe
others) to trigger the latter case.
In the former case, escaping does no harm.
Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
Diffstat (limited to 'html.c')
-rw-r--r-- | html.c | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -1,4 +1,4 @@ -/* $Id: html.c,v 1.157 2014/04/23 16:08:33 schwarze Exp $ */ +/* $Id: html.c,v 1.158 2014/07/22 22:41:35 schwarze Exp $ */ /* * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org> @@ -330,7 +330,7 @@ print_encode(struct html *h, const char *p, int norecurse) int c, len, nospace; const char *seq; enum mandoc_esc esc; - static const char rejs[8] = { '\\', '<', '>', '&', + static const char rejs[9] = { '\\', '<', '>', '&', '"', ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' }; nospace = 0; @@ -360,6 +360,9 @@ print_encode(struct html *h, const char *p, int norecurse) case '&': printf("&"); continue; + case '"': + printf("""); + continue; case ASCII_NBRSP: putchar('-'); continue; |