Bug#181872: www.debian.org: character handling in conversion of package description

[Pedro Zorzenon Neto <pzn@terra.com.br>]

Followup-For: Bug #181872
Package: www.debian.org
Version: N/A; reported 2003-04-15

  Hi,

  The page http://packages.debian.org/unstable/web/sqcwa.html
  has also this problem, but with a greater importance, since user
  can not read some important information from the package description.

  I suggest to protect this characters when generating html:

     <    &lt;
     >    &gt;
     &    &amp;
     "    &quot;

  In my opinion, just this three chars will be enough to avoid problems
and potencial XSS atacks.

  I think the program tried to protect some description by using <pre>,
but inside the 'pre' element, it is allowed to use tags, then they are
interpreted.

  In the page http://packages.debian.org/unstable/web/sqcwa.html
  we can read:

    This program reads squid/access.log on the fly, analyses it and
    searches inside all text/html objects for some tags, and if found, tells
    squidclient to purge the page.
    It is needed for some webservers that do not put http-equiv tags in http
    headers.
    Currently these tags are:

  But the correct version should have:
    This program reads squid/access.log on the fly, analyses it and
    searches inside all text/html objects for some <meta> tags, and if
    found, tells squidclient to purge the page.
    It is needed for some webservers that do not put http-equiv tags in http
    headers.
    Currently these tags are:
     <meta http-equiv="pragma" content="no-cache">
     <meta http-equiv="cache-control" content="no-cache">
     <meta http-equiv="expires" content="0">
     <meta http-equiv="expires" content="-1">

  Thanks,
    Pedro

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux mantis 2.2.20 #1 Sat Apr 20 11:45:28 EST 2002 i686
Locale: LANG=pt_BR, LC_CTYPE=pt_BR