CVS log for src/usr.bin/mandoc/html.c

Up to [local] / src / usr.bin / mandoc

Request diff between arbitrary revisions

Default branch: MAIN
Current tag: OPENBSD_5_6

Revision 1.38 / (download) - annotate - [select for diffs], Wed Jul 23 15:00:00 2014 UTC (9 years, 10 months ago) by schwarze
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE, OPENBSD_5_6
Changes since 1.37: +38 -27 lines
Diff to previous 1.37 (colored)

Security fix:
After decoding numeric (\N) and one-character (\<, \> etc.)
character escape sequences, do not forget to HTML-encode the
resulting ASCII character.  Malicious manuals were able to smuggle
XSS content by roff-escaping the HTML-special characters they need.
That's a classic bug type in many web applications, actually...  :-(

Found myself while auditing the HTML formatter for safe output handling.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

Diffs between
and

Preferred Diff type:
View only Branch:
Sort log by: