Hi, I just stumbled upon an XSS bug in db.debian.org:
https://db.debian.org/search.cgi?id=%22%3E%3C/a%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E%3Cx%20y=%22&dosearch=Search...
Both the "id" and "authtoken" fields lack input validation.
<zobel> bfly: you can find the code at git.debian.org in userdir-ldap-cgi
<zobel> would be nice if you could send a patch
A (n untested) patch is attached. Please let me know whether it's usable
and whether you are going to apply it.
-- Moritz
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>