It's worth noting that the XSS vulnerability ("A user could inject scripts into the npm website via the README and license fields") assuredly exposed a whole slew of easy-to-exploit vulnerabilities, and the community should feel very lucky that such an obvious vulnerability was in the wild for so long without being exploited.
TL;DR always use a templating engine that makes you think about XSS and don't allow unsanitized user-provided HTML through raw.
> don't allow unsanitized user-provided HTML through raw.
It's sad that you even need to say this, both for the fact that Javascript sandboxing is so terrible and the fact that developers aren't aware of the hazards of just blindly taking user-provided HTML.
As a point of honor, I feel obligated to mention that @rockbot and I are very aware of these hazards, but our website was put together in somebody's spare time when Node had like 100 users in total :-)
If it's referring to what I think it is, part of this is my fault and I feel I should give a post-mortem as well. There was a problem with marked (the markdown parser npmjs.org uses for READMEs) which allowed users to provide `javascript:` pseudo-protocol links even when the `sanitize` option was enabled. It was fixed[1] with marked v0.3.1 on jan. 31st. It looks like npm-www started using marked v0.3.1 on feb. 17th[2].
edit: On closer inspection it looks like it may have been a problem with the html sanitizer[3] it used as opposed to the marked `sanitize` option (which is not used at all). I guess my conscience is clear here at least.
TL;DR always use a templating engine that makes you think about XSS and don't allow unsanitized user-provided HTML through raw.