Version in base suite: 1.3.8-3

Base version: postorius_1.3.8-3
Target version: postorius_1.3.8-3+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/postorius/postorius_1.3.8-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/postorius/postorius_1.3.8-3+deb12u1.dsc

 changelog                          |    6 ++++++
 patches/series                     |    1 +
 patches/xss-in-held-messages.patch |   16 ++++++++++++++++
 3 files changed, 23 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmptenyv7bu/postorius_1.3.8-3.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmptenyv7bu/postorius_1.3.8-3+deb12u1.dsc: no acceptable signature found
diff -Nru postorius-1.3.8/debian/changelog postorius-1.3.8/debian/changelog
--- postorius-1.3.8/debian/changelog	2023-01-29 17:44:36.000000000 +0000
+++ postorius-1.3.8/debian/changelog	2026-05-07 21:32:28.000000000 +0000
@@ -1,3 +1,9 @@
+postorius (1.3.8-3+deb12u1) bookworm-security; urgency=medium
+
+  * Fix XSS in queue for held messages
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Thu, 07 May 2026 23:32:28 +0200
+
 postorius (1.3.8-3) unstable; urgency=medium
 
   * d/rules: fix a typo on jquery linking
diff -Nru postorius-1.3.8/debian/patches/series postorius-1.3.8/debian/patches/series
--- postorius-1.3.8/debian/patches/series	2023-01-29 15:34:52.000000000 +0000
+++ postorius-1.3.8/debian/patches/series	2026-05-07 21:32:15.000000000 +0000
@@ -1,2 +1,3 @@
 0001-README.rst-remove-embedded-images.patch
 0002-Drop-requests_panel.patch
+xss-in-held-messages.patch
diff -Nru postorius-1.3.8/debian/patches/xss-in-held-messages.patch postorius-1.3.8/debian/patches/xss-in-held-messages.patch
--- postorius-1.3.8/debian/patches/xss-in-held-messages.patch	1970-01-01 00:00:00.000000000 +0000
+++ postorius-1.3.8/debian/patches/xss-in-held-messages.patch	2026-05-07 21:32:25.000000000 +0000
@@ -0,0 +1,16 @@
+From 8d00a3c317729f37435bdbd27170f630e341f29e Mon Sep 17 00:00:00 2001
+From: Danil Smirnov <danil@smirnov.la>
+Date: Sun, 19 Jan 2025 12:22:12 +0200
+Subject: [PATCH 1/2] Fixing held_messages.js
+
+--- postorius-1.3.8.orig/src/postorius/static/postorius/js/held_messages.js
++++ postorius-1.3.8/src/postorius/static/postorius/js/held_messages.js
+@@ -9,7 +9,7 @@ var loadjs = function(rest_url, error_me
+       url: rest_url + msgid,
+       success: function(data) {
+         $('#message-source-btn').attr('href', rest_url + msgid + '?raw')
+-        $('#message-title').html(data.subject);
++        $('#message-title').text(data.subject);
+         $('.modal-footer form input[name="msgid"]').attr('value', msgid);
+         if (data.msg.body) {
+           $('#held-message-content').text(data.msg.body);