"Homepage" field (and others?) not escaped correctly

"Homepage" field is not escaped either, so you can do:

  Homepage: <script>alert('XSS')</script>

with an uploaded package and delete all packages, comment on stuff, steal cookies, bitcoin miner, etc. etc.

Edited Feb 25, 2018 by Mattia Rizzolo

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information