[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#853189: tracker.debian.org: Ecnoding issue / Code injection through Maintainer field (and probably others)



Mattia Rizzolo:
> On Mon, Jan 30, 2017 at 03:43:44PM +0100, Dominik George wrote:
>> tracker.debian.org apparently has encoding issues, not of the “schei�
>> encoding” kind, but it even seems to break the HTML completely and even
>> introduces new elements into the DOM in some way…
>>
>> أحمد المحمودي (Ahmed El-Mahmoudy), e.g., in the Maintainer field of
>> python-whoosh [1] triggers the issue in the “testing migrations” pane
>> (but not in the Maintainer field itself…).
> 
> That's coming from the excuses.yaml coming from
> https://release.debian.org/britney/excuses.yaml (debian-released CCed):
> 
> [...]

Sorry, but I am afraid that is incorrect.

 * excuses.yaml is valid UTF-8 AFAICT
 * tracker.d.o does *not* import excuses.yaml but update_excuses.html
   (as far as I am informed at least)
 * Even update_excuses.html us valid UTF-8 (but it uses "meta
   http-equiv" tag to declare that rather than a HTTP header).

So I am not (yet?) convinced that the problem is on the d-release side.

Thanks,
~Niels


Reply to: