According to Florian Hars: > I just sent this to bugtraq: > > In Fri, Oct 12, 2001 at 12:59:13PM -0600, Dave Ahmad wrote: > > On Thu, 11 Oct 2001, bugtraq wrote: > > > >http://www.perl.com/search/index.ncsp?sp-q=%3C%69%6D%67%20%73%72%63%3D%68%74%74%70%3A%2F%2F%31%39%39%2E%31%32%35%2E%38%35%2E%34%36%2F%74%69%6D%65%2E%6A%70%67%3E > > > Does anyone know which search engine software this is?
Doesn't LOOK like ht://Dig, but it can be hard to tell with the wrappers some people use. In any case, it would seem they resolved the problem on their site. > I don't know which engine perl.com uses, but if you have the template > parameter WORDS in you templates, htdig 3.1.5 puts the unquoted img-tag > into the result page. > > Funnily enough, the htdig 3.1.5 on htdig.org encodes the offending string > in > <input type="text" size="30" name="words" value="<img >src=http://199.125.85.46/time.jpg>";> > > while the distributed htdig 3.1.5 (here the debian-version 3.1.5-2) doesn't: > > <input type="text" size="30" name="words" value="<img >src=http://199.125.85.46/time.jpg>"> It all depends on whether the "words" input field in your followup search forms (template files header.html, nomatch.html, ...) use: <input type="text" size="30" name="words" value="$&(WORDS)"> or the older (pre-3.1.5) syntax: <input type="text" size="30" name="words" value="$(WORDS)"> The added "&" after the "$" in 3.1.5 template files causes the template variable to be SGML-encoded. I suspect that the debian release of htdig didn't bother updating the template files it installs, but instead installs something they customized from an earlier version of htdig. That's out of our hands, so you should report this to the Debian folks. > (And there is neither a security section on htdig.org nor an email address > for bug reports... so I am crossposting this to htdig-general) Yes, we had talked about adding a security section, but no one stepped forward to help write it. E-mailing bug reports to htdig-general is just fine by me, because most of the "bugs" reported on ht://Dig's SourceForge bug tracking system end up being configuration problems or things that have been fixed a long time ago. Both of these are easier to discuss on the mailing list. -- Gilles R. Detillieux E-mail: <[EMAIL PROTECTED]> Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil Dept. Physiology, U. of Manitoba Phone: (204)789-3766 Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930 _______________________________________________ htdig-dev mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/htdig-dev
![http://199.125.85.46/time.jpg>"](http://199.125.85.46/time.jpg>"){kind=link}
