Up to [cvsweb.bsd.lv] / mandoc
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: VERSION_1_13_1
Revision 1.159 / (download) - annotate - [select for diffs], Wed Jul 23 15:00:08 2014 UTC (9 years, 10 months ago) by schwarze
Branch: MAIN
CVS Tags: VERSION_1_13_1
Changes since 1.158: +38 -27 lines
Diff to previous 1.158 (unified)
Security fix: After decoding numeric (\N) and one-character (\<, \> etc.) character escape sequences, do not forget to HTML-encode the resulting ASCII character. Malicious manuals were able to smuggle XSS content by roff-escaping the HTML-special characters they need. That's a classic bug type in many web applications, actually... :-( Found myself while auditing the HTML formatter for safe output handling.