CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2014/07/23 09:00:00
Modified files:
usr.bin/mandoc : chars.c html.c
Log message:
Security fix:
After decoding numeric (\N) and one-character (\<, \> etc.)
character escape sequences, do not forget to HTML-encode the
resulting ASCII character. Malicious manuals were able to smuggle
XSS content by roff-escaping the HTML-special characters they need.
That's a classic bug type in many web applications, actually... :-(
Found myself while auditing the HTML formatter for safe output handling.
