Package: lintian Version: 2.5.99 Severity: important X-Debbugs-CC: ftpmas...@ftp-master.debian.org X-Debbugs-CC: debian-ad...@lists.debian.org
Hi, Lintian does not html escape tag information when --color=html is used. I noticed this after browsing a few packages in the NEW queue which have broken stylesheets. Current examples: https://ftp-master.debian.org/new/displaycal_3.6.1.0-1.html https://ftp-master.debian.org/new/json-editor.js_0.7.28+ds-1.html When generating those pages, dak passes --color=html to lintian and does not escape the output (because that would escape the span tags). In this case some privacy-breach-generic tags contained <link rel="stylesheet" tags in their information which get emitted into the above pages. Browsers then proceed to load these stylesheets from foreign websites. It seems to me the best option is to have lintian html escape everything if --color=html is in use, otherwise --color=html cannot be used safely. Example broken lintian output: > $ lintian --color=html libjs-json-editor_0.7.28+ds-1_all.deb > W: libjs-json-editor: <span style="color: > yellow">privacy-breach-generic</span> > usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<link rel="stylesheet" > href="//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.default.min.css">] > (//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.default.min.css) > W: libjs-json-editor: <span style="color: > yellow">privacy-breach-generic</span> > usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<link rel="stylesheet" > href="//cdn.jsdelivr.net/sceditor/1.4.3/themes/default.min.css">] > (//cdn.jsdelivr.net/sceditor/1.4.3/themes/default.min.css) > W: libjs-json-editor: <span style="color: > yellow">privacy-breach-generic</span> > usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<script > src="//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.bbcode.min.js">] > (//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.bbcode.min.js) > W: libjs-json-editor: <span style="color: > yellow">privacy-breach-generic</span> ... use --no-tag-display-limit to see > all (or pipe to a file/program) An an aside, I see that ftp-master.debian.org sets the non-standard X-Xss-Protection HTTP header which might? mitigate this on some browsers. Notably Firefox completely ignores this header and instead requires you to use Content-Security-Policy to get XSS protection, so setting that might be a good idea (although setting this "globally" will almost certainly break stuff). I've CCed the DSA team since I guess they manage this. James
signature.asc
Description: OpenPGP digital signature