Version in base suite: 1.3.13-1

Base version: postorius_1.3.13-1
Target version: postorius_1.3.13-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/postorius/postorius_1.3.13-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/postorius/postorius_1.3.13-1+deb13u1.dsc

 changelog                       |    6 ++++++
 patches/series                  |    1 +
 patches/xss-held-messages.patch |   16 ++++++++++++++++
 3 files changed, 23 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpsutxtfqq/postorius_1.3.13-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpsutxtfqq/postorius_1.3.13-1+deb13u1.dsc: no acceptable signature found
diff -Nru postorius-1.3.13/debian/changelog postorius-1.3.13/debian/changelog
--- postorius-1.3.13/debian/changelog	2025-03-12 10:01:34.000000000 +0000
+++ postorius-1.3.13/debian/changelog	2026-05-07 21:30:43.000000000 +0000
@@ -1,3 +1,9 @@
+postorius (1.3.13-1+deb13u1) trixie-security; urgency=medium
+
+  * Fix XSS in queue for held messages
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Thu, 07 May 2026 23:30:43 +0200
+
 postorius (1.3.13-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru postorius-1.3.13/debian/patches/series postorius-1.3.13/debian/patches/series
--- postorius-1.3.13/debian/patches/series	2025-03-12 09:10:00.000000000 +0000
+++ postorius-1.3.13/debian/patches/series	2026-05-07 21:30:28.000000000 +0000
@@ -1,2 +1,3 @@
 0001-README.rst-remove-embedded-images.patch
 0002-Drop-requests_panel.patch
+xss-held-messages.patch
diff -Nru postorius-1.3.13/debian/patches/xss-held-messages.patch postorius-1.3.13/debian/patches/xss-held-messages.patch
--- postorius-1.3.13/debian/patches/xss-held-messages.patch	1970-01-01 00:00:00.000000000 +0000
+++ postorius-1.3.13/debian/patches/xss-held-messages.patch	2026-05-07 21:30:37.000000000 +0000
@@ -0,0 +1,16 @@
+From 8d00a3c317729f37435bdbd27170f630e341f29e Mon Sep 17 00:00:00 2001
+From: Danil Smirnov <danil@smirnov.la>
+Date: Sun, 19 Jan 2025 12:22:12 +0200
+Subject: [PATCH 1/2] Fixing held_messages.js
+
+--- postorius-1.3.13.orig/src/postorius/static/postorius/js/held_messages.js
++++ postorius-1.3.13/src/postorius/static/postorius/js/held_messages.js
+@@ -9,7 +9,7 @@ var loadjs = function(rest_url, error_me
+       url: rest_url + msgid,
+       success: function(data) {
+         $('#message-source-btn').attr('href', rest_url + msgid + '?raw')
+-        $('#message-title').html(data.subject);
++        $('#message-title').text(data.subject);
+         $('.modal-footer form input[name="msgid"]').attr('value', msgid);
+         if (data.msg.body) {
+           $('#held-message-content').text(data.msg.body);