===================================================================
RCS file: /cvs/mandoc/html.c,v
retrieving revision 1.156
retrieving revision 1.158
diff -u -p -r1.156 -r1.158
--- mandoc/html.c	2014/04/20 16:46:04	1.156
+++ mandoc/html.c	2014/07/22 22:41:35	1.158
@@ -1,4 +1,4 @@
-/*	$Id: html.c,v 1.156 2014/04/20 16:46:04 schwarze Exp $ */
+/*	$Id: html.c,v 1.158 2014/07/22 22:41:35 schwarze Exp $ */
 /*
  * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze <schwarze@openbsd.org>
@@ -330,7 +330,7 @@ print_encode(struct html *h, const char *p, int norecu
 	int		 c, len, nospace;
 	const char	*seq;
 	enum mandoc_esc	 esc;
-	static const char rejs[8] = { '\\', '<', '>', '&',
+	static const char rejs[9] = { '\\', '<', '>', '&', '"',
 		ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' };
 
 	nospace = 0;
@@ -360,6 +360,9 @@ print_encode(struct html *h, const char *p, int norecu
 		case '&':
 			printf("&amp;");
 			continue;
+		case '"':
+			printf("&quot;");
+			continue;
 		case ASCII_NBRSP:
 			putchar('-');
 			continue;
@@ -656,6 +659,12 @@ bufcat_style(struct html *h, const char *key, const ch
 void
 bufcat(struct html *h, const char *p)
 {
+
+	/*
+	 * XXX This is broken and not easy to fix.
+	 * When using the -Oincludes option, buffmt_includes()
+	 * may pass in strings overrunning BUFSIZ, causing a crash.
+	 */
 
 	h->buflen = strlcat(h->buf, p, BUFSIZ);
 	assert(h->buflen < BUFSIZ);