Bug 35275

Summary: XSS при разборе changelog
Product: Infrastructure Reporter: Ivan A. Melnikov <iv>
Component: packages.altlinux.orgAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: mike, rider
Version: unspecified   
Hardware: all   
OS: Linux   
Bug Depends on:    
Bug Blocks: 22555    
Attachments:
Description Flags
Скриншот none

Description Ivan A. Melnikov 2018-08-21 09:19:16 MSK 
Теги из %changelog не экранируются и интерпретируются браузером.

Пример:

https://packages.altlinux.org/en/Sisyphus/srpms/alterator-alternatives/changelog

Тот самый entry:
* Tue Nov 18 2008 Vladislav Zavjalov <slazav at altlinux.org> 1.0-alt3
- remove <title> and <h1> from html template
Comment 1 Ivan A. Melnikov 2018-08-21 09:20:41 MSK 
Created attachment 7713 [details]
Скриншот
Comment 2 Ivan A. Melnikov 2018-09-11 12:29:45 MSK 
Ещё один пример: https://packages.altlinux.org/en/Sisyphus/srpms/alt-docs-genextras

* Thu Apr 17 2008 Kirill Maslinsky <kirill@altlinux.org> 0.3-alt5
- bugfix (#12466, #13742)
- usability: issue absracts separated visually with <HR> (azol@)
Comment 3 Anton Farygin 2021-11-10 12:10:12 MSK 
Исправлено на https://beta.packages.altlinux.org