Up to [cvsweb.bsd.lv] / mandoc
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: VERSION_1_13_1
Revision 1.58 / (download) - annotate - [select for diffs], Wed Jul 23 15:00:08 2014 UTC (9 years, 11 months ago) by schwarze
Branch: MAIN
CVS Tags: VERSION_1_13_1
Changes since 1.57: +13 -2 lines
Diff to previous 1.57 (unified)
Security fix: After decoding numeric (\N) and one-character (\<, \> etc.) character escape sequences, do not forget to HTML-encode the resulting ASCII character. Malicious manuals were able to smuggle XSS content by roff-escaping the HTML-special characters they need. That's a classic bug type in many web applications, actually... :-( Found myself while auditing the HTML formatter for safe output handling.