Bug#907667: lintian: should html escape output if --color=html is used

Thu, 30 Aug 2018 16:13:04 -0700 

Package: lintian
Version: 2.5.99
Severity: important
X-Debbugs-CC: ftpmas...@ftp-master.debian.org
X-Debbugs-CC: debian-ad...@lists.debian.org

Hi,

Lintian does not html escape tag information when --color=html is used.
I noticed this after browsing a few packages in the NEW queue which have
broken stylesheets. Current examples:
https://ftp-master.debian.org/new/displaycal_3.6.1.0-1.html
https://ftp-master.debian.org/new/json-editor.js_0.7.28+ds-1.html

When generating those pages, dak passes --color=html to lintian and does
not escape the output (because that would escape the span tags). In this
case some privacy-breach-generic tags contained <link rel="stylesheet"
tags in their information which get emitted into the above pages.
Browsers then proceed to load these stylesheets from foreign websites.

It seems to me the best option is to have lintian html escape everything
if --color=html is in use, otherwise --color=html cannot be used safely.

Example broken lintian output:
> $ lintian --color=html libjs-json-editor_0.7.28+ds-1_all.deb
> W: libjs-json-editor: <span style="color: 
> yellow">privacy-breach-generic</span> 
> usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<link rel="stylesheet" 
> href="//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.default.min.css">] 
> (//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.default.min.css)
> W: libjs-json-editor: <span style="color: 
> yellow">privacy-breach-generic</span> 
> usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<link rel="stylesheet" 
> href="//cdn.jsdelivr.net/sceditor/1.4.3/themes/default.min.css">] 
> (//cdn.jsdelivr.net/sceditor/1.4.3/themes/default.min.css)
> W: libjs-json-editor: <span style="color: 
> yellow">privacy-breach-generic</span> 
> usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<script 
> src="//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.bbcode.min.js">] 
> (//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.bbcode.min.js)
> W: libjs-json-editor: <span style="color: 
> yellow">privacy-breach-generic</span> ... use --no-tag-display-limit to see 
> all (or pipe to a file/program)

An an aside, I see that ftp-master.debian.org sets the non-standard
X-Xss-Protection HTTP header which might? mitigate this on some
browsers. Notably Firefox completely ignores this header and instead
requires you to use Content-Security-Policy to get XSS protection, so
setting that might be a good idea (although setting this "globally" will
almost certainly break stuff). I've CCed the DSA team since I guess they
manage this.

James

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to