It has come to our attention that in certain cases PyPI failed to correctly escape HTML that was uploaded as the long_description for projects. This was specific to projects whose long_description fields did not successfully render as reStructuredText and fell back to the plaintext rendering code. It was introduced in commit e2ea08abfb on 2015-01-24. We have found no evidence of any projects exploiting this and we do not believe that anyone is at risk.
This issue was discovered by Keryn Knight whom we'd like to thank for finding it and reporting it to us. The timeline of what occured is:
* 2015-08-26 @ 1700 UTC - I received an email by Keryn Knight reporting the issue.
* 2015-08-26 @ 1703 UTC - I responded to the email confirming the problem and asserting I’d have the problem fixed shortly.
* 2015-08-26 @ 1743 UTC - Fixes pushed to https://testpypi.python.org/ * 2015-08-26 @ 1746 UTC - Fixes pushed to https://pypi.python.org/ * 2015-08-26 @ 1805 UTC - Fixes pushed to https://warehouse-staging.python.org/ * 2015-08-26 @ 1809 UTC - Fixes pushed to https://warehouse.python.org/ * 2015-08-26 @ 1815 UTC - Emailed Keryn Knight confirming the fix had been deployed.