Package: devscripts Version: 2.22.2 Severity: normal X-Debbugs-Cc: danir...@offensive-security.com
Dear Maintainer, I found an issue with the uscan command. The option '--dehs' is meant to generate only XML valid output but after the '<dehs>' tag it adds some plain text lines that aren't escaped. For example, if the package URL contains the character '&' (which should be escaped as '&'), when parsing the XML output it will result in an error. Here is an example using the Kali repository for burpsuite package: https://gitlab.com/kalilinux/packages/burpsuite/-/blob/kali/master/debian/watch ``` $ uscan --watchfile burpsuite/debian/watch --package burpsuite --upstream-version 2022.1 --dehs <dehs> uscan: Newest version of burpsuite on remote site is 2022.8.4, local version is 2022.1 uscan: => Newer package available from: => https://portswigger.net/burp/releases/startdownload?product=community&version=2022.8.4&type=jar <package>burpsuite</package> <debian-uversion>2022.1</debian-uversion> <debian-mangled-uversion>2022.1</debian-mangled-uversion> <upstream-version>2022.8.4</upstream-version> <upstream-url>https://portswigger.net/burp/releases/startdownload?product=community&version=2022.8.4&type=jar</upstream-url> <status>newer package available</status> </dehs> ``` You can see that the string inside the tag upstream-url is properly escaped, but the one in the third line isn't -- System Information: Debian Release: 11.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-10-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled