Hi there, ht://dig 3.1.6 (and maybe newer versions) seems to be vulnerable for "phishing"-attacks when using the $(WORDS) variable in the resultemplates.
When I call htsearch like this: /cgi-bin/htsearch?words=%3Cfont%20color=%22red%22%3Ehello%3C/font%3E and the nomatch-template looks like this: No results for '$(WORDS)' the result is No result for '<font color="red">hello</font>' This makes any website using the $(WORDS) variable in the resultemplates vulnerable to "phishing"-attacks. It should be enough to replace "<" and ">" by "<" and ">" in $(WORDS) (and maybe other variables) before output to close this vulnerability. Could anyone provide a patch to fix this or is this already fixed in 3.2.x? Regards, Roland ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ ht://Dig general mailing list: <[EMAIL PROTECTED]> ht://Dig FAQ: http://htdig.sourceforge.net/FAQ.html List information (subscribe/unsubscribe, etc.) https://lists.sourceforge.net/lists/listinfo/htdig-general
