-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Thijs,
Thijs Kinkhorst wrote:
> I don't think this is in any way an issue, even not with "normal"
> severity.
in my opinion, it remains a bug for the reasons given below. Personally,
I don't really care whether or not it's changed/fixed, though.
Package: qa.debian.org
Severity: normal
The following URLs demonstrate that it is possible to inject client side
script (such as Javascript) and HTML tags into the HTML form (1) and error
message (2) output generated by the "advanced [PTS] subscription" script.
(1)
http://packages.qa.debian.org
Package: qa.debian.org
Severity: minor
The search / redirection
http://packages.qa.debian.org/common/index.html
points to may provide unexpected results in some cases.
For example, put a single dot into the search box and submit the search.
http://packages.qa.debian.org/common/index.html?src=.
3 matches
Mail list logo
