Re: [htdig-dev] Re: Dangers of posting images: Pretty examples

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

According to Florian Hars:
> I just sent this to bugtraq:
> 
> In Fri, Oct 12, 2001 at 12:59:13PM -0600, Dave Ahmad wrote:
> > On Thu, 11 Oct 2001, bugtraq wrote:
> > > http://www.perl.com/search/index.ncsp?sp-q=%3C%69%6D%67%20%73%72%63%3D%68%74%74%70%3A%2F%2F%31%39%39%2E%31%32%35%2E%38%35%2E%34%36%2F%74%69%6D%65%2E%6A%70%67%3E
> 
> > Does anyone know which search engine software this is?

Doesn't LOOK like ht://Dig, but it can be hard to tell with the wrappers
some people use.  In any case, it would seem they resolved the problem
on their site.

> I don't know which engine perl.com uses, but if you have the template
> parameter WORDS in you templates, htdig 3.1.5 puts the unquoted img-tag
> into the result page.
> 
> Funnily enough, the htdig 3.1.5 on htdig.org encodes the offending string
> in
> <input type="text" size="30" name="words" value="&lt;img src=http://199.125.85.46/time.jpg&gt;">
> 
> while the distributed htdig 3.1.5 (here the debian-version 3.1.5-2) doesn't:
> 
> <input type="text" size="30" name="words" value="<img src=http://199.125.85.46/time.jpg>">

It all depends on whether the "words" input field in your followup search
forms (template files header.html, nomatch.html, ...) use:

  <input type="text" size="30" name="words" value="$&(WORDS)">

or the older (pre-3.1.5) syntax:

  <input type="text" size="30" name="words" value="$(WORDS)">

The added "&" after the "$" in 3.1.5 template files causes the template
variable to be SGML-encoded.  I suspect that the debian release of
htdig didn't bother updating the template files it installs, but instead
installs something they customized from an earlier version of htdig.
That's out of our hands, so you should report this to the Debian folks.

> (And there is neither a security section on htdig.org nor an email address
> for bug reports... so I am crossposting this to htdig-general)

Yes, we had talked about adding a security section, but no one stepped
forward to help write it.  E-mailing bug reports to htdig-general is just
fine by me, because most of the "bugs" reported on ht://Dig's SourceForge
bug tracking system end up being configuration problems or things that
have been fixed a long time ago.  Both of these are easier to discuss on
the mailing list.

-- 
Gilles R. Detillieux              E-mail: <gr...@sc...>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930