Bug#181872: www.debian.org: Inproper handling of special HTML characters in package descriptions
Package: www.debian.org
Version: N/A; reported 2003-02-21
Severity: normal
The scripts generating the packages' pages on
<http://packages.debian.org> fails to convert the characters "<" and
">" to their respective HTML entities, such as "<" and ">". It
is likely that other characters are also affected by this.
To see an example of this, take a look at
<http://packages.debian.org/unstable/games/scummvm.html>. The
description in question reads:
".. at <URL: http://scummvm.sf.net/compatibility.php>. .."
Mozilla show this on the web pages like this:
".. at http://scummvm.sf.net/compatibility.php>. .."
and the HTML source reads:
".. at <URL: <a href="http://scummvm.sf.net/compatibility.php>">http://scummvm.sf.net/compatibility.php></a>. .."
Obviously, the special characters should have been replaced by their
respective HTML entities. I would assume that a malicious uploader
could use packages.debian.org for an XSS attack, should he be inclined
to do so. I don't believe that's likely to happen, though, so no
security tag added.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux python.linpro.no 2.4.20-xfs #1 Wed Dec 11 20:26:47 CET 2002 i686
Locale: LANG=C, LC_CTYPE=no_NO.ISO-8859-1
Reply to: