Hi,

there is a XSS error in syntax.html of htdig.

you can reproduce this like this:
http://foo.bar/cgi-bin/htsearch?config=&restrict=&exclude=&method=and&format=builtin-long&sort=<script>alert("foo")</script>&words=foo

$(SYNTAXERROR) must be quoted by htdig before filling it in.

greetings
Michael
--
Michael Skibbe <mskibbe@suse...>
Core Services
SUSE Linux Products GmbH                      GF: Markus Rex
Nuernberg, Germany                            HRB 16746 (AG Nuernberg)

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
ht://Dig Developer mailing list:
htdig-dev@list...
List information (subscribe/unsubscribe, etc.)
https://lists.sourceforge.net/lists/listinfo/htdig-dev