Bug#181872: www.debian.org: Inproper handling of special HTML characters in package descriptions

[Tore Anderson <tore@linpro.no>]

Package: www.debian.org
Version: N/A; reported 2003-02-21
Severity: normal

  The scripts generating the packages' pages on
 <http://packages.debian.org> fails to convert the characters "<" and
 ">" to their respective HTML entities, such as "&lt;" and "&gt;".  It
 is likely that other characters are also affected by this.

  To see an example of this, take a look at
 <http://packages.debian.org/unstable/games/scummvm.html>.  The
 description in question reads:

    ".. at <URL: http://scummvm.sf.net/compatibility.php>. .."

  Mozilla show this on the web pages like this:

    ".. at http://scummvm.sf.net/compatibility.php>. .."

  and the HTML source reads:

    ".. at <URL: <a href="http://scummvm.sf.net/compatibility.php>">http://scummvm.sf.net/compatibility.php></a>. .."
  
  Obviously, the special characters should have been replaced by their
 respective HTML entities.  I would assume that a malicious uploader
 could use packages.debian.org for an XSS attack, should he be inclined
 to do so. I don't believe that's likely to happen, though, so no
 security tag added.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux python.linpro.no 2.4.20-xfs #1 Wed Dec 11 20:26:47 CET 2002 i686
Locale: LANG=C, LC_CTYPE=no_NO.ISO-8859-1