[htdig-dev] Re: Dangers of posting images: Pretty examples

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I just sent this to bugtraq:

In Fri, Oct 12, 2001 at 12:59:13PM -0600, Dave Ahmad wrote:
> On Thu, 11 Oct 2001, bugtraq wrote:
> > http://www.perl.com/search/index.ncsp?sp-q=%3C%69%6D%67%20%73%72%63%3D%68%74%74%70%3A%2F%2F%31%39%39%2E%31%32%35%2E%38%35%2E%34%36%2F%74%69%6D%65%2E%6A%70%67%3E

> Does anyone know which search engine software this is?

I don't know which engine perl.com uses, but if you have the template
parameter WORDS in you templates, htdig 3.1.5 puts the unquoted img-tag
into the result page.

Funnily enough, the htdig 3.1.5 on htdig.org encodes the offending string
in
<input type="text" size="30" name="words" value="&lt;img src=http://199.125.85.46/time.jpg&gt;">

while the distributed htdig 3.1.5 (here the debian-version 3.1.5-2) doesn't:

<input type="text" size="30" name="words" value="<img src=http://199.125.85.46/time.jpg>">

(And there is neither a security section on htdig.org nor an email address
for bug reports... so I am crossposting this to htdig-general)

Yours, Florian Hars.