artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4d4881e) | patch
Security fix:
authorschwarze <schwarze@openbsd.org>
Tue, 22 Jul 2014 22:41:29 +0000 (22:41 +0000)
committerschwarze <schwarze@openbsd.org>
Tue, 22 Jul 2014 22:41:29 +0000 (22:41 +0000)
commitced40a2efce9e93f2a6bbefae0e42d680d633cda
treeb243b48415e064f364cacf543abe8280e900a0f4tree | snapshot
parent4d4881ee4ee657fc9fa401cedd962be7d4358227commit | diff
Security fix:
The function print_encode() is used both for plain text
and for quoted attribute values.
Escape the '"' character such that malicious manuals cannot pull off
XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe
others) to trigger the latter case.
In the former case, escaping does no harm.
Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
usr.bin/mandoc/html.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim