Bug#181872: www.debian.org: character handling in conversion of package description
Followup-For: Bug #181872
Package: www.debian.org
Version: N/A; reported 2003-04-15
Hi,
The page http://packages.debian.org/unstable/web/sqcwa.html
has also this problem, but with a greater importance, since user
can not read some important information from the package description.
I suggest to protect this characters when generating html:
< <
> >
& &
" "
In my opinion, just this three chars will be enough to avoid problems
and potencial XSS atacks.
I think the program tried to protect some description by using <pre>,
but inside the 'pre' element, it is allowed to use tags, then they are
interpreted.
In the page http://packages.debian.org/unstable/web/sqcwa.html
we can read:
This program reads squid/access.log on the fly, analyses it and
searches inside all text/html objects for some tags, and if found, tells
squidclient to purge the page.
It is needed for some webservers that do not put http-equiv tags in http
headers.
Currently these tags are:
But the correct version should have:
This program reads squid/access.log on the fly, analyses it and
searches inside all text/html objects for some <meta> tags, and if
found, tells squidclient to purge the page.
It is needed for some webservers that do not put http-equiv tags in http
headers.
Currently these tags are:
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="expires" content="-1">
Thanks,
Pedro
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux mantis 2.2.20 #1 Sat Apr 20 11:45:28 EST 2002 i686
Locale: LANG=pt_BR, LC_CTYPE=pt_BR
Reply to: