Security fix:

The function print_encode() is used both for plain text
and for quoted attribute values.
Escape the '"' character such that malicious manuals cannot pull off
XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe
others) to trigger the latter case.
In the former case, escaping does no harm.
Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.

1 files changed, 5 insertions, 2 deletions

diff --git a/usr.bin/mandoc/html.c b/usr.bin/mandoc/html.c
index 50a1f7ac1f5..4bd617bb7a7 100644
--- a/usr.bin/mandoc/html.c
+++ b/usr.bin/mandoc/html.c
@@ -1,4 +1,4 @@
-/*	$Id: html.c,v 1.36 2014/04/23 16:07:06 schwarze Exp $ */
+/*	$Id: html.c,v 1.37 2014/07/22 22:41:29 schwarze Exp $ */
 /*
  * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -326,7 +326,7 @@ print_encode(struct html *h, const char *p, int norecurse)
 	int		 c, len, nospace;
 	const char	*seq;
 	enum mandoc_esc	 esc;
-	static const char rejs[8] = { '\\', '<', '>', '&',
+	static const char rejs[9] = { '\\', '<', '>', '&', '"',
 		ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' };
 
 	nospace = 0;
@@ -356,6 +356,9 @@ print_encode(struct html *h, const char *p, int norecurse)
 		case '&':
 			printf("&amp;");
 			continue;
+		case '"':
+			printf("&quot;");
+			continue;
 		case ASCII_NBRSP:
 			putchar('-');
 			continue;