Re: [htdig-dev] Re: Dangers of posting images: Pretty examples

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Thu, Oct 18, 2001 at 01:13:38PM -0500, Gilles Detillieux wrote:
> The added "&" after the "$" in 3.1.5 template files causes the template
> variable to be SGML-encoded.  I suspect that the debian release of
> htdig didn't bother updating the template files it installs, but instead
> installs something they customized from an earlier version of htdig.

No, the files in debian contain properly escaped substitutions, it were just
my templates that had the problem. Still, I think it is a design error to
make the default syntax for variable substitution (which is the same every 
other program uses) insecure.  
You should have to take additional steps if you want insecure behaviour,
not if you want secure behaviour.

Yours, Florian Hars.