ht://dig 3.1.6 (and maybe newer versions) seems to be
vulnerable for "phishing"-attacks when using the
$(WORDS) variable in the resultemplates.
When htsearch is called like this:
and the nomatch-template looks like this:
No results for '$(WORDS)'
the result is
No result for '<font color="red">hello</font>'
This makes any website using the $(WORDS) variable in
the resultemplates vulnerable to "phishing"-attacks.
It should be enough to translate "<" to "<", ">" to
">" and `"` to """ in $(WORDS) (and maybe other
variables) before output to close this vulnerability.