Re: [htdig-dev] Re: Dangers of posting images: Pretty examples

[Gilles D. <gr...@sc...>]

According to Florian Hars:
> On Thu, Oct 18, 2001 at 01:13:38PM -0500, Gilles Detillieux wrote:
> > The added "&" after the "$" in 3.1.5 template files causes the template
> > variable to be SGML-encoded.  I suspect that the debian release of
> > htdig didn't bother updating the template files it installs, but instead
> > installs something they customized from an earlier version of htdig.
> 
> No, the files in debian contain properly escaped substitutions, it were just
> my templates that had the problem. Still, I think it is a design error to
> make the default syntax for variable substitution (which is the same every 
> other program uses) insecure.  
> You should have to take additional steps if you want insecure behaviour,
> not if you want secure behaviour.

I have to disagree with you on this point.  Whether the default syntax
is insecure or not depends totally on the context in which the template
variable is used, and how that template variable is generated.  To change
the default syntax so it SGML encodes the variable by default would
seriously break just about any existing template file, because a great
number of template variables can't be encoded this way - they're supposed
to contain HTML tags that go straight through to the results page.
Just a few of these variables are: METHOD, FORMAT, SORT, PAGEHEADER,
PREVPAGE, PAGELIST, NEXTPAGE, EXCERPT, STARSLEFT and STARSRIGHT.

-- 
Gilles R. Detillieux              E-mail: <gr...@sc...>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930