Up to [local] / src / usr.bin / mandoc
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: OPENBSD_5_6_BASE
Revision 1.29 / (download) - annotate - [select for diffs], Wed Jul 23 15:00:00 2014 UTC (9 years, 10 months ago) by schwarze
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.28: +13 -2 lines
Diff to previous 1.28 (colored)
Security fix: After decoding numeric (\N) and one-character (\<, \> etc.) character escape sequences, do not forget to HTML-encode the resulting ASCII character. Malicious manuals were able to smuggle XSS content by roff-escaping the HTML-special characters they need. That's a classic bug type in many web applications, actually... :-( Found myself while auditing the HTML formatter for safe output handling.