Need to use escaping in a number of templates
Created by: djimenez
the contents and packages related templates are primarily using the triple braced interpolation which does no html escaping, when typically they should be using the double braced interpolation that atuomatically performs escaping.
quotes and html characters in values from form inputs or package metadata can wreck the output. An example of this already exists without any maliscious input, the maintainer select options has a piece templated out like:
<option value="Steffen Lange">Steffen Lange</option> <option value="Stuart Cardall">Stuart Cardall</option> <option selected value="Stuart Cardall <email@example.com> Cameron Banta">Stuart Cardall <developer...</option> <option value="Sören Tempel">Sören Tempel</option> <option value="Ted Trask">Ted Trask</option>
notice that the < and > characters aren't being transformed into > and < where appropriate - a quote would not either, as seen if we put a value with a quote in the packages form (here I've inserted the alpine logo into the middle of the page by crafting the query):
i would imagine you actually want to use the double braces in your templates for everything except your header and footer includes.
PS I know nothing about lustache other than what i read in the variables section o fthe readme: https://github.com/Olivine-Labs/lustache#variables