Geoff Hutchison <ghutchis@...> wrote:
>I had asked:
> > Does ht://Dig filter the text returned by $&(LOGICAL_WORDS) ?
> > I have in mind a number of possible evil exploits of echoing
> > this in a page (though I don't have or want the skills to
> > implement them).
> LOGICAL_WORDS is built up from the search query, so it's completely
> filtered. At one point, there were problems with WORDS because it
> essentially came from the search query.
> Also remember that the $&(VAR) syntax will HTML-escape everything, so
> things like <script> won't become markup tags, but rather <script>
D'oh! I realised that about $&(LOGICAL_WORDS) and $(LOGICAL_WORDS) after
So I gather the answer is that all is well; WORDS is filtered too, and
if that's not perfect one can be safe by using $&(WORDS) and quoting it
only within the <TITLE> or <INPUT>.
Thanks for the reassurance.
Get latest updates about Open Source Projects, Conferences and News.