In-Reply-To: <[EMAIL PROTECTED]> Geoff Hutchison <[EMAIL PROTECTED]> wrote: >I had asked: > > Does ht://Dig filter the text returned by $&(LOGICAL_WORDS) ? > > > > I have in mind a number of possible evil exploits of echoing > > this in a page (though I don't have or want the skills to > > implement them). > > LOGICAL_WORDS is built up from the search query, so it's completely > filtered. At one point, there were problems with WORDS because it > essentially came from the search query. > > Also remember that the $&(VAR) syntax will HTML-escape everything, so > things like <script> won't become markup tags, but rather <script>
D'oh! I realised that about $&(LOGICAL_WORDS) and $(LOGICAL_WORDS) after I posted. So I gather the answer is that all is well; WORDS is filtered too, and if that's not perfect one can be safe by using $&(WORDS) and quoting it only within the <TITLE> or <INPUT>. Thanks for the reassurance. Mike ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ htdig-general mailing list <[EMAIL PROTECTED]> To unsubscribe, send a message to <[EMAIL PROTECTED]> with a subject of unsubscribe FAQ: http://htdig.sourceforge.net/FAQ.html
