===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/mandoc/html.c,v
retrieving revision 1.99
retrieving revision 1.100
diff -u -r1.99 -r1.100
--- src/usr.bin/mandoc/html.c	2018/05/25 20:23:39	1.99
+++ src/usr.bin/mandoc/html.c	2018/05/28 14:12:35	1.100
@@ -1,4 +1,4 @@
-/*	$OpenBSD: html.c,v 1.99 2018/05/25 20:23:39 schwarze Exp $ */
+/*	$OpenBSD: html.c,v 1.100 2018/05/28 14:12:35 schwarze Exp $ */
 /*
  * Copyright (c) 2008-2011, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011-2015, 2017, 2018 Ingo Schwarze <schwarze@openbsd.org>
@@ -285,10 +285,16 @@
 	if (buf == NULL)
 		return NULL;
 
-	/* http://www.w3.org/TR/html5/dom.html#the-id-attribute */
+	/*
+	 * In ID attributes, only use ASCII characters that are
+	 * permitted in URL-fragment strings according to the
+	 * explicit list at:
+	 * https://url.spec.whatwg.org/#url-fragment-string
+	 */
 
 	for (cp = buf; *cp != '\0'; cp++)
-		if (*cp == ' ')
+		if (isalnum((unsigned char)*cp) == 0 &&
+		    strchr("!$&'()*+,-./:;=?@_~", *cp) == NULL)
 			*cp = '_';
 
 	if (unique == 0)