Package: www.debian.org Version: N/A; reported 2003-02-21 Severity: normal The scripts generating the packages' pages on <http://packages.debian.org> fails to convert the characters "<" and ">" to their respective HTML entities, such as "<" and ">". It is likely that other characters are also affected by this.
To see an example of this, take a look at <http://packages.debian.org/unstable/games/scummvm.html>. The description in question reads: ".. at <URL: http://scummvm.sf.net/compatibility.php>. .." Mozilla show this on the web pages like this: ".. at http://scummvm.sf.net/compatibility.php>. .." and the HTML source reads: ".. at <URL: <a href="http://scummvm.sf.net/compatibility.php>">http://scummvm.sf.net/compatibility.php></a>. .." Obviously, the special characters should have been replaced by their respective HTML entities. I would assume that a malicious uploader could use packages.debian.org for an XSS attack, should he be inclined to do so. I don't believe that's likely to happen, though, so no security tag added. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux python.linpro.no 2.4.20-xfs #1 Wed Dec 11 20:26:47 CET 2002 i686 Locale: LANG=C, LC_CTYPE=no_NO.ISO-8859-1
