[htdig] ht://dig vulnerable for "phishing"-attacks?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi there,

ht://dig 3.1.6 (and maybe newer versions) seems to be vulnerable for
"phishing"-attacks when using the $(WORDS) variable in the 
resultemplates.

When I call htsearch like this:
/cgi-bin/htsearch?words=%3Cfont%20color=%22red%22%3Ehello%3C/font%3E

and the nomatch-template looks like this:

No results for '$(WORDS)'

the result is

No result for '<font color="red">hello</font>'

This makes any website using the $(WORDS) variable in the resultemplates
vulnerable to "phishing"-attacks. 
It should be enough to replace "<" and ">" by "&lt;" and "&gt;" in 
$(WORDS) (and maybe other variables) before output to close this
vulnerability.

Could anyone provide a patch to fix this or is this already fixed in
3.2.x?

Regards,
  Roland