Security fix:

The function print_encode() is used both for plain text
and for quoted attribute values.
Escape the '"' character such that malicious manuals cannot pull off
XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe
others) to trigger the latter case.
In the former case, escaping does no harm.
Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.

diff --git a/usr.bin/mandoc/html.c b/usr.bin/mandoc/html.c
index 50a1f7a..4bd617b 100644 (file)
--- a/usr.bin/mandoc/html.c
+++ b/usr.bin/mandoc/html.c
@@ -1,4 +1,4 @@
-/*     $Id: html.c,v 1.36 2014/04/23 16:07:06 schwarze Exp $ */
+/*     $Id: html.c,v 1.37 2014/07/22 22:41:29 schwarze Exp $ */
 /*
  * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -326,7 +326,7 @@ print_encode(struct html *h, const char *p, int norecurse)
        int              c, len, nospace;
        const char      *seq;
        enum mandoc_esc  esc;
-       static const char rejs[8] = { '\\', '<', '>', '&',
+       static const char rejs[9] = { '\\', '<', '>', '&', '"',
                ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' };
 
        nospace = 0;
@@ -356,6 +356,9 @@ print_encode(struct html *h, const char *p, int norecurse)
                case '&':
                        printf("&amp;");
                        continue;
+               case '"':
+                       printf("&quot;");
+                       continue;
                case ASCII_NBRSP:
                        putchar('-');
                        continue;