Followup-For: Bug #181872 Package: www.debian.org Version: N/A; reported 2003-04-15
Hi, The page http://packages.debian.org/unstable/web/sqcwa.html has also this problem, but with a greater importance, since user can not read some important information from the package description. I suggest to protect this characters when generating html: < < > > & & " " In my opinion, just this three chars will be enough to avoid problems and potencial XSS atacks. I think the program tried to protect some description by using <pre>, but inside the 'pre' element, it is allowed to use tags, then they are interpreted. In the page http://packages.debian.org/unstable/web/sqcwa.html we can read: This program reads squid/access.log on the fly, analyses it and searches inside all text/html objects for some tags, and if found, tells squidclient to purge the page. It is needed for some webservers that do not put http-equiv tags in http headers. Currently these tags are: But the correct version should have: This program reads squid/access.log on the fly, analyses it and searches inside all text/html objects for some <meta> tags, and if found, tells squidclient to purge the page. It is needed for some webservers that do not put http-equiv tags in http headers. Currently these tags are: <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"> <meta http-equiv="expires" content="0"> <meta http-equiv="expires" content="-1"> Thanks, Pedro -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux mantis 2.2.20 #1 Sat Apr 20 11:45:28 EST 2002 i686 Locale: LANG=pt_BR, LC_CTYPE=pt_BR
