Bug#907667: lintian: should html escape output if --color=html is used
Hi Niels, > Though, reminder - if you introduce a new dependency, you will have to > get DSA to install it on lindsay.d.o before you can upgrade lintian there. (Oh, I forgot to mention; it's already installed on lindsay) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#907667: lintian: should html escape output if --color=html is used
Chris Lamb: > Hi Niels, > >> Any reason for introducing the CGI dependency over simply applying the >> same escape rules for the $information variable? > > Only because well-used libraries are preferred, particularly for data > sanitisation (!) operations. > > Is the extra dependency problematic? We use some far-more esoteric > libraries than CGI, so I did not think it would be an issue. > > > Regards, > If we are consistent with how we perform the quoting, I do not mind the extra dependency. Particularly because it should be doable to reduce it to a suggests given --color=html is not a default (which we can add later if relevant). Though, reminder - if you introduce a new dependency, you will have to get DSA to install it on lindsay.d.o before you can upgrade lintian there. Thanks, ~Niels
Bug#907667: lintian: should html escape output if --color=html is used
Hi Niels, > Any reason for introducing the CGI dependency over simply applying the > same escape rules for the $information variable? Only because well-used libraries are preferred, particularly for data sanitisation (!) operations. Is the extra dependency problematic? We use some far-more esoteric libraries than CGI, so I did not think it would be an issue. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#907667: lintian: should html escape output if --color=html is used
Chris Lamb: > tags 907667 + pending > thanks > > Fixed in Git, pending upload: > > > https://salsa.debian.org/lintian/lintian/commit/897c485d61387adc5689f287c7e0404e604136e7 > > debian/changelog | 5 + > debian/control| 2 ++ > lib/Lintian/Output.pm | 7 +++ > t/tests/lintian-color-html/debian/debian/docs | 1 + > t/tests/lintian-color-html/debian/foo.xml | 1 + > t/tests/lintian-color-html/desc | 8 > t/tests/lintian-color-html/tags | 1 + > 7 files changed, 21 insertions(+), 4 deletions(-) > > > Regards, > Any reason for introducing the CGI dependency over simply applying the same escape rules for the $information variable? Possibly we could extract the html_quote from commands/reporting-html-reports.pm and put it in L::Util (or similar) and share the code from there. Alternatively, if we are moving to a dependency to solve this issue, then we should use it consistently (i.e. remove html_quote from commands/reporting-html-reports.pm). Thanks, ~Niels
Bug#907667: lintian: should html escape output if --color=html is used
tags 907667 + pending thanks Fixed in Git, pending upload: https://salsa.debian.org/lintian/lintian/commit/897c485d61387adc5689f287c7e0404e604136e7 debian/changelog | 5 + debian/control| 2 ++ lib/Lintian/Output.pm | 7 +++ t/tests/lintian-color-html/debian/debian/docs | 1 + t/tests/lintian-color-html/debian/foo.xml | 1 + t/tests/lintian-color-html/desc | 8 t/tests/lintian-color-html/tags | 1 + 7 files changed, 21 insertions(+), 4 deletions(-) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#907667: lintian: should html escape output if --color=html is used
Dear James, > some privacy-breach-generic tags contained tags in their information which get emitted into the above pages. > Browsers then proceed to load these stylesheets from foreign websites. The irony that this is designed to /prevent/ loading from these websites in the first place is simply delicious. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#907667: lintian: should html escape output if --color=html is used
Package: lintian Version: 2.5.99 Severity: important X-Debbugs-CC: ftpmas...@ftp-master.debian.org X-Debbugs-CC: debian-ad...@lists.debian.org Hi, Lintian does not html escape tag information when --color=html is used. I noticed this after browsing a few packages in the NEW queue which have broken stylesheets. Current examples: https://ftp-master.debian.org/new/displaycal_3.6.1.0-1.html https://ftp-master.debian.org/new/json-editor.js_0.7.28+ds-1.html When generating those pages, dak passes --color=html to lintian and does not escape the output (because that would escape the span tags). In this case some privacy-breach-generic tags contained $ lintian --color=html libjs-json-editor_0.7.28+ds-1_all.deb > W: libjs-json-editor: privacy-breach-generic > usr/share/doc/libjs-json-editor/examples/wysiwyg.html [ href="//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.default.min.css">] > (//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.default.min.css) > W: libjs-json-editor: privacy-breach-generic > usr/share/doc/libjs-json-editor/examples/wysiwyg.html [ href="//cdn.jsdelivr.net/sceditor/1.4.3/themes/default.min.css">] > (//cdn.jsdelivr.net/sceditor/1.4.3/themes/default.min.css) > W: libjs-json-editor: privacy-breach-generic > usr/share/doc/libjs-json-editor/examples/wysiwyg.html