From: Florian H. <fl...@ha...> - 2001-10-15 16:46:04
|
I just sent this to bugtraq: In Fri, Oct 12, 2001 at 12:59:13PM -0600, Dave Ahmad wrote: > On Thu, 11 Oct 2001, bugtraq wrote: > > http://www.perl.com/search/index.ncsp?sp-q=%3C%69%6D%67%20%73%72%63%3D%68%74%74%70%3A%2F%2F%31%39%39%2E%31%32%35%2E%38%35%2E%34%36%2F%74%69%6D%65%2E%6A%70%67%3E > Does anyone know which search engine software this is? I don't know which engine perl.com uses, but if you have the template parameter WORDS in you templates, htdig 3.1.5 puts the unquoted img-tag into the result page. Funnily enough, the htdig 3.1.5 on htdig.org encodes the offending string in <input type="text" size="30" name="words" value="<img src=http://199.125.85.46/time.jpg>"> while the distributed htdig 3.1.5 (here the debian-version 3.1.5-2) doesn't: <input type="text" size="30" name="words" value="<img src=http://199.125.85.46/time.jpg>"> (And there is neither a security section on htdig.org nor an email address for bug reports... so I am crossposting this to htdig-general) Yours, Florian Hars. |