Need to use escaping in a number of templates

Created by: djimenez

the contents and packages related templates are primarily using the triple braced interpolation which does no html escaping, when typically they should be using the double braced interpolation that atuomatically performs escaping.

quotes and html characters in values from form inputs or package metadata can wreck the output. An example of this already exists without any maliscious input, the maintainer select options has a piece templated out like:

<option  value="Steffen Lange">Steffen Lange</option>
<option  value="Stuart Cardall">Stuart Cardall</option>
<option selected value="Stuart Cardall <developer@it-offshore.co.uk> Cameron Banta">Stuart Cardall <developer...</option>
<option  value="Sören Tempel">Sören Tempel</option>
<option  value="Ted Trask">Ted Trask</option>

notice that the < and > characters aren't being transformed into > and < where appropriate - a quote would not either, as seen if we put a value with a quote in the packages form (here I've inserted the alpine logo into the middle of the page by crafting the query):

https://pkgs.alpinelinux.org/packages?name=%22%3E%3Cimg+src%3D%22https%3A%2F%2Fpkgs.alpinelinux.org%2Fassets%2Falpinelinux-logo.svg%22%3E&repo=all&arch=x86_64&maintainer=all

luckily modern browsers are good at detecting reflected XSS, so its not easy to use this to execute arbitrary javascript. But a browser wouldn't be able to detect scripts that come from maliscious package information. If i was able to sneak in an evil package author, description or url into the apk indexes these pages would display it.

i would imagine you actually want to use the double braces in your templates for everything except your header and footer includes.

PS I know nothing about lustache other than what i read in the variables section o fthe readme: https://github.com/Olivine-Labs/lustache#variables