Version in base suite: 0.14.0+dfsg-2

Base version: shaarli_0.14.0+dfsg-2
Target version: shaarli_0.14.0+dfsg-2+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/shaarli/shaarli_0.14.0+dfsg-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/shaarli/shaarli_0.14.0+dfsg-2+deb13u1.dsc

 changelog                                             |    7 
 patches/0026-fix-stored-XSS-via-tag-suggestions.patch |  135 ++++++++++++++++++
 patches/series                                        |    1 
 3 files changed, 143 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp6tgcnz5b/shaarli_0.14.0+dfsg-2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp6tgcnz5b/shaarli_0.14.0+dfsg-2+deb13u1.dsc: no acceptable signature found
diff -Nru shaarli-0.14.0+dfsg/debian/changelog shaarli-0.14.0+dfsg/debian/changelog
--- shaarli-0.14.0+dfsg/debian/changelog	2025-08-30 11:45:06.000000000 +0000
+++ shaarli-0.14.0+dfsg/debian/changelog	2026-02-03 12:59:05.000000000 +0000
@@ -1,3 +1,10 @@
+shaarli (0.14.0+dfsg-2+deb13u1) trixie-security; urgency=medium
+
+  * Add patch to fix stored XSS via tag suggestions (Closes: #1126554,
+    CVE-2026-24476)
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Tue, 03 Feb 2026 07:59:05 -0500
+
 shaarli (0.14.0+dfsg-2) trixie; urgency=medium
 
   * Add patch to fix CVE-2025-55291 (Closes: #1111589)
diff -Nru shaarli-0.14.0+dfsg/debian/patches/0026-fix-stored-XSS-via-tag-suggestions.patch shaarli-0.14.0+dfsg/debian/patches/0026-fix-stored-XSS-via-tag-suggestions.patch
--- shaarli-0.14.0+dfsg/debian/patches/0026-fix-stored-XSS-via-tag-suggestions.patch	1970-01-01 00:00:00.000000000 +0000
+++ shaarli-0.14.0+dfsg/debian/patches/0026-fix-stored-XSS-via-tag-suggestions.patch	2026-02-03 12:59:05.000000000 +0000
@@ -0,0 +1,135 @@
+From: Moritz Woermann <git@mowoe.com>
+Date: Thu, 11 Dec 2025 20:44:48 +0100
+Subject: fix stored XSS via tag suggestions
+
+Applied from upstream commit:
+https://github.com/shaarli/Shaarli/commit/f1ee96a763dd6889f543b0f8d1bb2a1c3df2c320
+
+Fix for CVE-2026-24476:
+https://security-tracker.debian.org/tracker/CVE-2026-24476
+
+Forwarded: not-needed
+---
+ tpl/default/addlink.html     | 2 +-
+ tpl/default/editlink.html    | 2 +-
+ tpl/default/linklist.html    | 2 +-
+ tpl/default/page.header.html | 4 ++--
+ tpl/default/tag.cloud.html   | 2 +-
+ tpl/default/tag.list.html    | 2 +-
+ tpl/vintage/editlink.html    | 2 +-
+ tpl/vintage/linklist.html    | 2 +-
+ 8 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/tpl/default/addlink.html b/tpl/default/addlink.html
+index 4aac7ff..ba3bb51 100644
+--- a/tpl/default/addlink.html
++++ b/tpl/default/addlink.html
+@@ -58,7 +58,7 @@
+           </div>
+           <div>
+             <input type="text" name="tags" id="tags" class="lf_input"
+-                   data-list="{loop="$tags"}{$key}, {/loop}" data-multiple data-autofirst autocomplete="off">
++                   data-list="{loop="$tags"}{$key|escape}, {/loop}" data-multiple data-autofirst autocomplete="off">
+           </div>
+ 
+           <div>
+diff --git a/tpl/default/editlink.html b/tpl/default/editlink.html
+index a5828c7..74f4cb7 100644
+--- a/tpl/default/editlink.html
++++ b/tpl/default/editlink.html
+@@ -58,7 +58,7 @@
+       </div>
+       <div class="{if="$retrieve_description"}{$asyncLoadClass}{/if}">
+         <input type="text" name="lf_tags" id="lf_tags{$batchId}" value="{$link.tags}" class="lf_input autofocus"
+-          data-list="{loop="$tags"}{$key}, {/loop}" data-multiple data-autofirst autocomplete="off" >
++          data-list="{loop="$tags"}{$key|escape}, {/loop}" data-multiple data-autofirst autocomplete="off" >
+         <div class="icon-container">
+           <i class="loader"></i>
+         </div>
+diff --git a/tpl/default/linklist.html b/tpl/default/linklist.html
+index 7208a3b..9d342e5 100644
+--- a/tpl/default/linklist.html
++++ b/tpl/default/linklist.html
+@@ -29,7 +29,7 @@
+            value="{$search_tags}"
+            {/if}
+     autocomplete="off" data-multiple data-autofirst data-minChars="1"
+-    data-list="{loop="$tags"}{$key}, {/loop}"
++    data-list="{loop="$tags"}{$key|escape}, {/loop}"
+     >
+     <button type="submit" class="search-button" aria-label="{'Search'|t}"><i class="fa fa-search" aria-hidden="true"></i></button>
+   </form>
+diff --git a/tpl/default/page.header.html b/tpl/default/page.header.html
+index c8ecbc5..257144f 100644
+--- a/tpl/default/page.header.html
++++ b/tpl/default/page.header.html
+@@ -112,7 +112,7 @@
+              value="{$search_tags}"
+              {/if}
+       autocomplete="off" data-multiple data-autofirst data-minChars="1"
+-      data-list="{loop="$tags"}{$key}, {/loop}"
++      data-list="{loop="$tags"}{$key|escape}, {/loop}"
+       >
+       <button type="submit" class="search-button" aria-label="{'Search'|t}"><i class="fa fa-search" aria-hidden="true"></i></button>
+     </form>
+@@ -157,7 +157,7 @@
+                 aria-label="{$value === 'add' ? t('Tag to add') : t('Tag to delete')}"
+                 placeholder="{$value === 'add' ? t('Tag to add') : t('Tag to delete')}"
+                 autocomplete="off" data-multiple data-autofirst data-minChars="1"
+-                data-list="{loop="$tags"}{$key}, {/loop}"
++                data-list="{loop="$tags"}{$key|escape}, {/loop}"
+               >
+               <input type="hidden" name="action" value="{$value}" />
+               <input type="hidden" name="id" value="" />
+diff --git a/tpl/default/tag.cloud.html b/tpl/default/tag.cloud.html
+index 01b50b0..d09ed4c 100644
+--- a/tpl/default/tag.cloud.html
++++ b/tpl/default/tag.cloud.html
+@@ -31,7 +31,7 @@
+                     value="{$search_tags}"
+                  {/if}
+           autocomplete="off" data-multiple data-autofirst data-minChars="1"
+-          data-list="{loop="$tags"}{$key}, {/loop}"
++          data-list="{loop="$tags"}{$key|escape}, {/loop}"
+           class="autofocus"
+           >
+           <button type="submit" class="search-button" aria-label="{'Search'|t}"><i class="fa fa-search" aria-hidden="true"></i></button>
+diff --git a/tpl/default/tag.list.html b/tpl/default/tag.list.html
+index 96e7fbe..cb354a5 100644
+--- a/tpl/default/tag.list.html
++++ b/tpl/default/tag.list.html
+@@ -31,7 +31,7 @@
+                  value="{$search_tags}"
+                  {/if}
+           autocomplete="off" data-multiple data-autofirst data-minChars="1"
+-          data-list="{loop="$tags"}{$key}, {/loop}"
++          data-list="{loop="$tags"}{$key|escape}, {/loop}"
+           >
+           <button type="submit" class="search-button" aria-label="{'Search'|t}"><i class="fa fa-search" aria-hidden="true"></i></button>
+         </form>
+diff --git a/tpl/vintage/editlink.html b/tpl/vintage/editlink.html
+index 343418b..f6cb461 100644
+--- a/tpl/vintage/editlink.html
++++ b/tpl/vintage/editlink.html
+@@ -33,7 +33,7 @@
+             <label for="lf_tags"><i>Tags</i></label>
+             <div class="{if="$retrieve_description"}{$asyncLoadClass}{/if}">
+               <input type="text" name="lf_tags" id="lf_tags" value="{$link.tags}" class="lf_input"
+-                data-list="{loop="$tags"}{$key}, {/loop}" data-multiple autocomplete="off" >
++                data-list="{loop="$tags"}{$key|escape}, {/loop}" data-multiple autocomplete="off" >
+               <div class="icon-container">
+                 <i class="loader"></i>
+               </div>
+diff --git a/tpl/vintage/linklist.html b/tpl/vintage/linklist.html
+index ff0dd40..787e53f 100644
+--- a/tpl/vintage/linklist.html
++++ b/tpl/vintage/linklist.html
+@@ -22,7 +22,7 @@
+                     value="{$search_tags}"
+                 {/if}
+                 autocomplete="off" data-multiple data-minChars="1"
+-                data-list="{loop="$tags"}{$key}, {/loop}"
++                data-list="{loop="$tags"}{$key|escape}, {/loop}"
+             >
+             <input type="submit" value="Search" class="bigbutton">
+         </form>
diff -Nru shaarli-0.14.0+dfsg/debian/patches/series shaarli-0.14.0+dfsg/debian/patches/series
--- shaarli-0.14.0+dfsg/debian/patches/series	2025-08-30 11:45:06.000000000 +0000
+++ shaarli-0.14.0+dfsg/debian/patches/series	2026-02-03 12:59:05.000000000 +0000
@@ -22,3 +22,4 @@
 0023-Rename-PluginQrcodeTest-as-PluginReadItLaterTest-PHP.patch
 0024-RequiresPhpunit-12-for-test-failing-with-PHPUnit-12.patch
 0025-fix-reflected-XSS-via-searchtags-parameter.patch
+0026-fix-stored-XSS-via-tag-suggestions.patch