Version in base suite: 2.2.0-3

Base version: beets_2.2.0-3
Target version: beets_2.2.0-3+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/beets/beets_2.2.0-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/b/beets/beets_2.2.0-3+deb13u1.dsc

 changelog                                                |    8 +
 patches/add_unit_test_checking_unsafe_web_ui_input       |  100 +++++++++++++++
 patches/fix_xss_by_using_escaped_template_tags_in_web_ui |   82 ++++++++++++
 patches/series                                           |    2 
 salsa-ci.yml                                             |    7 +
 5 files changed, 199 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4qwzjgb5/beets_2.2.0-3.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4qwzjgb5/beets_2.2.0-3+deb13u1.dsc: no acceptable signature found
diff -Nru beets-2.2.0/debian/changelog beets-2.2.0/debian/changelog
--- beets-2.2.0/debian/changelog	2025-04-13 21:38:58.000000000 +0000
+++ beets-2.2.0/debian/changelog	2026-05-25 09:10:59.000000000 +0000
@@ -1,3 +1,11 @@
+beets (2.2.0-3+deb13u1) trixie; urgency=medium
+
+  * Add patch to fix xss vulnerability CVE-2026-42052 in web ui
+    (Closes: #1135779)
+  * Add patch with test for unsafe web ui input
+
+ -- Pieter Lenaerts <plenae@disroot.org>  Mon, 25 May 2026 09:10:59 +0000
+
 beets (2.2.0-3) unstable; urgency=medium
 
   [ Florent 'Skia' Jacquet ]
diff -Nru beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input
--- beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input	1970-01-01 00:00:00.000000000 +0000
+++ beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input	2026-05-25 07:35:23.000000000 +0000
@@ -0,0 +1,100 @@
+From: Pieter Lenaerts <plenae@disroot.org>
+Date: Sat, 9 May 2026 12:22:05 +0200
+Subject: Add unit test checking for unsafe input in web ui
+
+Forwarded: https://github.com/beetbox/beets/pull/6639
+---
+ test/plugins/test_web_xss.py | 84 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 84 insertions(+)
+ create mode 100644 test/plugins/test_web_xss.py
+
+diff --git a/test/plugins/test_web_xss.py b/test/plugins/test_web_xss.py
+new file mode 100644
+index 0000000..021122e
+--- /dev/null
++++ b/test/plugins/test_web_xss.py
+@@ -0,0 +1,84 @@
++"""Tests for XSS vulnerability in the web plugin templates.
++
++This test verifies that the Underscore.js templates in index.html use
++the escaping syntax (<%- %) instead of the non-escaping syntax (<%= %).
++
++In Underscore.js 1.2.2 (used by beets):
++- <%= variable %> does NOT escape HTML (vulnerable to XSS)
++- <%- variable %> DOES escape HTML (safe)
++
++The test checks the index.html template file served by Flask to ensure
++all user data interpolations in the Underscore.js templates use the escaping
++syntax.
++
++Generated using mistral vibe, verified by Pieter Lenaerts <plenae@disroot.org>
++"""
++
++import re
++
++from beets.test.helper import ItemInDBTestCase
++from beetsplug import web
++
++
++class WebXSSTest(ItemInDBTestCase):
++    def setUp(self):
++        super().setUp()
++        web.app.config["TESTING"] = True
++        web.app.config["lib"] = self.lib
++        web.app.config["INCLUDE_PATHS"] = False
++        web.app.config["READONLY"] = True
++        self.client = web.app.test_client()
++
++    def test_templates_use_escaping_syntax(self):
++        """Verify that all Underscore.js templates use <%- %> for escaping.
++
++        This test requests the index.html page and checks that all
++        user data interpolations in the Underscore.js templates use
++        the escaping syntax (<%- %) rather than the non-escaping syntax (<%= %).
++
++        Before the fix (with <%= %>), this test will fail.
++        After the fix (with <%- %>), this test will pass.
++        """
++        # Request the index.html page
++        response = self.client.get("/")
++        html = response.data.decode("utf-8")
++
++        # Extract the template scripts from the HTML
++        # The templates are in <script type="text/template"> blocks
++        template_pattern = r'<script type="text/template"[^>]*>(.*?)</script>'
++        templates = re.findall(template_pattern, html, re.DOTALL)
++
++        # Combine all template content for checking
++        all_template_content = "\n".join(templates)
++
++        # Check that no <%= %> (non-escaping) tags exist for user data
++        # We look for <%= followed by a variable name (word characters)
++        non_escaping_pattern = r'<%=\s*(\w+)\s*%>'
++        non_escaping_matches = re.findall(non_escaping_pattern, all_template_content)
++
++        # List of fields that should be escaped (user-controlled data)
++        user_data_fields = [
++            'title', 'artist', 'album', 'year', 'track', 'tracktotal',
++            'disc', 'disctotal', 'length', 'format', 'bitrate',
++            'mb_trackid', 'id', 'lyrics', 'comments'
++        ]
++
++        # Check if any user data fields are using non-escaping <%= %>
++        vulnerable_fields = [field for field in non_escaping_matches if field in user_data_fields]
++
++        # If we found any user data fields using <%= %>, the templates are vulnerable
++        assert len(vulnerable_fields) == 0, (
++            f"Found non-escaping <%= %> tags for user data fields: {vulnerable_fields}. "
++            f"These should use <%- %> for HTML escaping to prevent XSS."
++        )
++
++        # Also verify that escaping tags (<%- %>) are present for user data
++        escaping_pattern = r'<%-\s*(\w+)\s*%>'
++        escaping_matches = re.findall(escaping_pattern, all_template_content)
++
++        # At least some user data fields should use escaping
++        safe_fields = [field for field in escaping_matches if field in user_data_fields]
++        assert len(safe_fields) > 0, (
++            "No escaping <%- %> tags found for user data fields. "
++            "Templates should use <%- %> for HTML escaping."
++        )
diff -Nru beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui
--- beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui	1970-01-01 00:00:00.000000000 +0000
+++ beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui	2026-05-25 07:35:23.000000000 +0000
@@ -0,0 +1,82 @@
+From: Šarūnas Nejus https://github.com/snejus
+Date: Sat, 9 May 2026 08:04:44 +0200
+Subject: Fix XSS by using escaped template tags in web UI
+
+Bug: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
+Bug-Debian: https://bugs.debian.org/1135779
+Origin: backport, https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a
+Forwarded: not-needed
+---
+ beetsplug/web/templates/index.html | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/beetsplug/web/templates/index.html b/beetsplug/web/templates/index.html
+index 0fdd46d..7b1e43f 100644
+--- a/beetsplug/web/templates/index.html
++++ b/beetsplug/web/templates/index.html
+@@ -45,16 +45,16 @@
+ 
+         <!-- Templates. -->
+         <script type="text/template" id="item-entry-template">
+-            <%= title %>
++            <%- title %>
+             <span class="playing">&#9654;</span>
+         </script>
+         <script type="text/template" id="item-main-detail-template">
+-            <span class="artist"><%= artist %></span>
++            <span class="artist"><%- artist %></span>
+             <span class="album">
+-                <span class="albumtitle"><%= album %></span>
+-                <span class="year">(<%= year %>)</span>
++                <span class="albumtitle"><%- album %></span>
++                <span class="year">(<%- year %>)</span>
+             </span>
+-            <span class="title"><%= title %></span>
++            <span class="title"><%- title %></span>
+ 
+             <button class="play">&#9654;</button>
+ 
+@@ -63,34 +63,34 @@
+         <script type="text/template" id="item-extra-detail-template">
+             <dl>
+                 <dt>Track</dt>
+-                <dd><%= track %>/<%= tracktotal %></dd>
++                <dd><%- track %>/<%- tracktotal %></dd>
+                 <% if (disc) { %>
+                     <dt>Disc</dt>
+-                    <dd><%= disc %>/<%= disctotal %></dd>
++                    <dd><%- disc %>/<%- disctotal %></dd>
+                 <% } %>
+                 <dt>Length</dt>
+-                <dd><%= timeFormat(length) %></dd>
++                <dd><%- timeFormat(length) %></dd>
+                 <dt>Format</dt>
+-                <dd><%= format %></dd>
++                <dd><%- format %></dd>
+                 <dt>Bitrate</dt>
+-                <dd><%= Math.round(bitrate/1000) %> kbps</dd>
++                <dd><%- Math.round(bitrate/1000) %> kbps</dd>
+                 <% if (mb_trackid) { %>
+                     <dt>MusicBrainz entry</dt>
+                     <dd>
+-                        <a target="_blank" href="http://musicbrainz.org/recording/<%= mb_trackid %>">view</a>
++                        <a target="_blank" href="http://musicbrainz.org/recording/<%- mb_trackid %>">view</a>
+                     </dd>
+                 <% } %>
+                 <dt>File</dt>
+                 <dd>
+-                    <a target="_blank" class="download" href="item/<%= id %>/file">download</a>
++                    <a target="_blank" class="download" href="item/<%- id %>/file">download</a>
+                 </dd>
+                 <% if (lyrics) { %>
+                     <dt>Lyrics</dt>
+-                    <dd class="lyrics"><%= lyrics %></dd>
++                    <dd class="lyrics"><%- lyrics %></dd>
+                 <% } %>
+                 <% if (comments) { %>
+                     <dt>Comments</dt>
+-                    <dd><%= comments %></dd>
++                    <dd><%- comments %></dd>
+                 <% } %>
+             </dl>
+         </script>
diff -Nru beets-2.2.0/debian/patches/series beets-2.2.0/debian/patches/series
--- beets-2.2.0/debian/patches/series	2025-04-13 21:38:58.000000000 +0000
+++ beets-2.2.0/debian/patches/series	2026-05-25 07:35:23.000000000 +0000
@@ -3,3 +3,5 @@
 test-rsrc
 2025-future
 fix-ubuntu-s390x
+fix_xss_by_using_escaped_template_tags_in_web_ui
+add_unit_test_checking_unsafe_web_ui_input
diff -Nru beets-2.2.0/debian/salsa-ci.yml beets-2.2.0/debian/salsa-ci.yml
--- beets-2.2.0/debian/salsa-ci.yml	1970-01-01 00:00:00.000000000 +0000
+++ beets-2.2.0/debian/salsa-ci.yml	2026-04-09 07:00:30.000000000 +0000
@@ -0,0 +1,7 @@
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  SALSA_CI_DISABLE_BLHC: 1
+  SALSA_CI_DISABLE_BUILD_PACKAGE_ALL: 1
+  SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 1