Version in base suite: 0.12.1+dfsg-8+deb12u1

Base version: shaarli_0.12.1+dfsg-8+deb12u1
Target version: shaarli_0.12.1+dfsg-8+deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/shaarli/shaarli_0.12.1+dfsg-8+deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/shaarli/shaarli_0.12.1+dfsg-8+deb12u2.dsc

 changelog                                             |    7 +
 patches/0022-fix-stored-XSS-via-tag-suggestions.patch |  126 ++++++++++++++++++
 patches/series                                        |    1 
 3 files changed, 134 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpczx4po4i/shaarli_0.12.1+dfsg-8+deb12u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpczx4po4i/shaarli_0.12.1+dfsg-8+deb12u2.dsc: no acceptable signature found
diff -Nru shaarli-0.12.1+dfsg/debian/changelog shaarli-0.12.1+dfsg/debian/changelog
--- shaarli-0.12.1+dfsg/debian/changelog	2025-08-30 13:48:22.000000000 +0000
+++ shaarli-0.12.1+dfsg/debian/changelog	2026-02-06 15:19:00.000000000 +0000
@@ -1,3 +1,10 @@
+shaarli (0.12.1+dfsg-8+deb12u2) bookworm-security; urgency=medium
+
+  * Add patch to fix stored XSS via tag suggestions
+    (Closes: #1126554, CVE-2026-24476)
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Fri, 06 Feb 2026 10:19:00 -0500
+
 shaarli (0.12.1+dfsg-8+deb12u1) bookworm; urgency=medium
 
   * Add patch to fix CVE-2025-55291 (Closes: #1111589)
diff -Nru shaarli-0.12.1+dfsg/debian/patches/0022-fix-stored-XSS-via-tag-suggestions.patch shaarli-0.12.1+dfsg/debian/patches/0022-fix-stored-XSS-via-tag-suggestions.patch
--- shaarli-0.12.1+dfsg/debian/patches/0022-fix-stored-XSS-via-tag-suggestions.patch	1970-01-01 00:00:00.000000000 +0000
+++ shaarli-0.12.1+dfsg/debian/patches/0022-fix-stored-XSS-via-tag-suggestions.patch	2026-02-06 15:19:00.000000000 +0000
@@ -0,0 +1,126 @@
+From: Moritz Woermann <git@mowoe.com>
+Date: Thu, 11 Dec 2025 20:44:48 +0100
+Subject: fix stored XSS via tag suggestions
+
+Cherry-picked from upstream commit:
+https://github.com/shaarli/Shaarli/commit/f1ee96a763dd6889f543b0f8d1bb2a1c3df2c320
+
+Fix for CVE-2026-24476:
+https://security-tracker.debian.org/tracker/CVE-2026-24476
+
+Forwarded: not-needed
+---
+ tpl/default/addlink.html     | 2 +-
+ tpl/default/editlink.html    | 2 +-
+ tpl/default/linklist.html    | 2 +-
+ tpl/default/page.header.html | 2 +-
+ tpl/default/tag.cloud.html   | 2 +-
+ tpl/default/tag.list.html    | 2 +-
+ tpl/vintage/editlink.html    | 2 +-
+ tpl/vintage/linklist.html    | 2 +-
+ 8 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/tpl/default/addlink.html b/tpl/default/addlink.html
+index 4aac7ff..ba3bb51 100644
+--- a/tpl/default/addlink.html
++++ b/tpl/default/addlink.html
+@@ -58,7 +58,7 @@
+           </div>
+           <div>
+             <input type="text" name="tags" id="tags" class="lf_input"
+-                   data-list="{loop="$tags"}{$key}, {/loop}" data-multiple data-autofirst autocomplete="off">
++                   data-list="{loop="$tags"}{$key|escape}, {/loop}" data-multiple data-autofirst autocomplete="off">
+           </div>
+ 
+           <div>
+diff --git a/tpl/default/editlink.html b/tpl/default/editlink.html
+index 83e541f..0b590fe 100644
+--- a/tpl/default/editlink.html
++++ b/tpl/default/editlink.html
+@@ -57,7 +57,7 @@
+       </div>
+       <div class="{if="$retrieve_description"}{$asyncLoadClass}{/if}">
+         <input type="text" name="lf_tags" id="lf_tags" value="{$link.tags}" class="lf_input autofocus"
+-          data-list="{loop="$tags"}{$key}, {/loop}" data-multiple data-autofirst autocomplete="off" >
++          data-list="{loop="$tags"}{$key|escape}, {/loop}" data-multiple data-autofirst autocomplete="off" >
+         <div class="icon-container">
+           <i class="loader"></i>
+         </div>
+diff --git a/tpl/default/linklist.html b/tpl/default/linklist.html
+index 7208a3b..9d342e5 100644
+--- a/tpl/default/linklist.html
++++ b/tpl/default/linklist.html
+@@ -29,7 +29,7 @@
+            value="{$search_tags}"
+            {/if}
+     autocomplete="off" data-multiple data-autofirst data-minChars="1"
+-    data-list="{loop="$tags"}{$key}, {/loop}"
++    data-list="{loop="$tags"}{$key|escape}, {/loop}"
+     >
+     <button type="submit" class="search-button" aria-label="{'Search'|t}"><i class="fa fa-search" aria-hidden="true"></i></button>
+   </form>
+diff --git a/tpl/default/page.header.html b/tpl/default/page.header.html
+index a71464c..2a93f06 100644
+--- a/tpl/default/page.header.html
++++ b/tpl/default/page.header.html
+@@ -112,7 +112,7 @@
+              value="{$search_tags}"
+              {/if}
+       autocomplete="off" data-multiple data-autofirst data-minChars="1"
+-      data-list="{loop="$tags"}{$key}, {/loop}"
++      data-list="{loop="$tags"}{$key|escape}, {/loop}"
+       >
+       <button type="submit" class="search-button" aria-label="{'Search'|t}"><i class="fa fa-search" aria-hidden="true"></i></button>
+     </form>
+diff --git a/tpl/default/tag.cloud.html b/tpl/default/tag.cloud.html
+index 01b50b0..d09ed4c 100644
+--- a/tpl/default/tag.cloud.html
++++ b/tpl/default/tag.cloud.html
+@@ -31,7 +31,7 @@
+                     value="{$search_tags}"
+                  {/if}
+           autocomplete="off" data-multiple data-autofirst data-minChars="1"
+-          data-list="{loop="$tags"}{$key}, {/loop}"
++          data-list="{loop="$tags"}{$key|escape}, {/loop}"
+           class="autofocus"
+           >
+           <button type="submit" class="search-button" aria-label="{'Search'|t}"><i class="fa fa-search" aria-hidden="true"></i></button>
+diff --git a/tpl/default/tag.list.html b/tpl/default/tag.list.html
+index 96e7fbe..cb354a5 100644
+--- a/tpl/default/tag.list.html
++++ b/tpl/default/tag.list.html
+@@ -31,7 +31,7 @@
+                  value="{$search_tags}"
+                  {/if}
+           autocomplete="off" data-multiple data-autofirst data-minChars="1"
+-          data-list="{loop="$tags"}{$key}, {/loop}"
++          data-list="{loop="$tags"}{$key|escape}, {/loop}"
+           >
+           <button type="submit" class="search-button" aria-label="{'Search'|t}"><i class="fa fa-search" aria-hidden="true"></i></button>
+         </form>
+diff --git a/tpl/vintage/editlink.html b/tpl/vintage/editlink.html
+index 343418b..f6cb461 100644
+--- a/tpl/vintage/editlink.html
++++ b/tpl/vintage/editlink.html
+@@ -33,7 +33,7 @@
+             <label for="lf_tags"><i>Tags</i></label>
+             <div class="{if="$retrieve_description"}{$asyncLoadClass}{/if}">
+               <input type="text" name="lf_tags" id="lf_tags" value="{$link.tags}" class="lf_input"
+-                data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" >
++                data-list="{loop="$tags"}{$key|escape}, {/loop}" data-multiple autocomplete="off" >
+               <div class="icon-container">
+                 <i class="loader"></i>
+               </div>
+diff --git a/tpl/vintage/linklist.html b/tpl/vintage/linklist.html
+index ff0dd40..787e53f 100644
+--- a/tpl/vintage/linklist.html
++++ b/tpl/vintage/linklist.html
+@@ -22,7 +22,7 @@
+                     value="{$search_tags}"
+                 {/if}
+                 autocomplete="off" data-multiple data-minChars="1"
+-                data-list="{loop="$tags"}{$key}, {/loop}"
++                data-list="{loop="$tags"}{$key|escape}, {/loop}"
+             >
+             <input type="submit" value="Search" class="bigbutton">
+         </form>
diff -Nru shaarli-0.12.1+dfsg/debian/patches/series shaarli-0.12.1+dfsg/debian/patches/series
--- shaarli-0.12.1+dfsg/debian/patches/series	2025-08-30 13:48:22.000000000 +0000
+++ shaarli-0.12.1+dfsg/debian/patches/series	2026-02-06 15:19:00.000000000 +0000
@@ -19,3 +19,4 @@
 0020-Cherry-pick-date-view-fix-from-upstream.patch
 0021-webpack-css-loader-Disable-url-resolving.patch
 0025-fix-reflected-XSS-via-searchtags-parameter.patch
+0022-fix-stored-XSS-via-tag-suggestions.patch