"Homepage" field (and others?) not escaped correctly

"Homepage" field is not escaped either, so you can do:

  Homepage: <script>alert('XSS')</script>

with an uploaded package and delete all packages, comment on stuff, steal cookies, bitcoin miner, etc. etc.

Edited by Mattia Rizzolo
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information