Hi, On Mon, 15 Jun 2020, Sebastien Delafond wrote: > See for instance the following URL: > > > https://ci.debian.net/user/debci/jobs?package=abc"><script>alert(document.domain)</script>
The issue is present in multiple parameters and even in the URL itself: XSS Param URL: https://ci.debian.net/user/debci%3Cvideo%3E%3Csource%20onerror=%22javascript:prompt(9401)%22%3E/jobs XSS Param package: https://ci.debian.net/user/nobody/jobs?arch[]=amd64&package=bamtools%27%22()%26%25%3Cxx%3E%3CScRiPt%3Ealert(9904)%3C/ScRiPt%3E&suite[]=kali-dev XSS Param trigger: https://ci.debian.net/user/debci/jobs?arch[]=amd64&package=20&suite[]=kali-dev&trigger=1%27%22()%26%25%3Cxxx%3E%3CScRiPt%3Eprompt(9829)%3C/ScRiPt%3E Is there any chance that you could fix this in the near future? The issues are not critical but ignoring them doesn't give a good image of us. (And what if this could be exploited to trigger a test run with some evil parameters...) Regards, -- ⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <hert...@debian.org> ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/ ⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS