Package: qa.debian.org Severity: normal Hi,
for the "nml" package, I'm seeing some warnings from debcheck at [1]: Package declares a build time dependency on 'python3-all-dev:any' which is broken Syntax. Package declares a build time dependency on 'python3-pil ' which is broken Syntax. Package declares a build time dependency on 'python3-ply ' which is broken Syntax. [1]: https://qa.debian.org/debcheck.php?dist=unstable&package=nml At first glance, especially the latter two seem perfectly fine, making the error confusing. On closer inspection, the HTML source for these lines looks like: <p>Package declares a build time dependency on 'python3-all-dev:any' which is broken Syntax.<br> Package declares a build time dependency on 'python3-pil <!nocheck>' which is broken Syntax.<br> Package declares a build time dependency on 'python3-ply <!nocheck>' which is broken Syntax.<br> So it seems that qa.debian.org embeds the debcheck results into the HTML without any encoding, making the brackets be interpreted as HTML and the contents effectively hidden. In theory, this could be a security problem (XSS), though exploiting that probably requires uploading a package with an XSS attack embedded in the dependency line (which probably needs to be accepted by other tooling in the process as well, so might even be impossible). Maybe other errors are more exploitable, but the lack of anonymity in the uploads probably means that this is really a security problem in practice. Note that lack of support for such a <!nocheck> clause is the subject of #816448, but the encoding should be solved separately (even when that bug is also solved). Solving this would probably be a matter of adding a `htmlspecialchars()` around the output lines. Gr. Matthijs