Re: [htdig3-dev] Use of & as CGI variable separator vs. HTML 4.0

Subject: Re: [htdig3-dev] Use of & as CGI variable separator vs. HTML 4.0
From: Geoff Hutchison (
Date: Tue Feb 15 2000 - 14:53:33 PST

On Tue, 15 Feb 2000, Gilles Detillieux wrote:

> Hi, folks. After thinking about some recent messages expressing
> concern about htsearch's compliance with HTML 4.0, and its potential
> vulnerability to cross-site scripting, I've decided there are a couple
> things worth doing.

I think these are worth doing, but I'd also like to see if we can come up
with a potential exploit with this, if only to gauge the severity of the

> Following that discussion, there were some references to RFCs 1738 &
> 2396, and recommendations about how URL parameters should be encoded.

Yeah, I think I need to gather a bunch of useful RFCs and put them on This would, at least, make it easier to read them.

> If not, I'll adapt it for 3.2 as well. Maybe the unreserved list should
> go right in URL.h, as the default for encodeURL(). Any preferences

When we first started 3.2, I knew that URL.h and needed a lot of
work. I set aside both the reserved and unreserved lists to do this and
started in on some of the revisions to with every intention of
doing the encoding issues. Of course, I got sidetracked.

I think it should go in URL.h.

> I think we'll also want to change all the default follow-up search forms
> (nomatch.html, syntax.html, header.html, wrapper.html) to use $&(WORDS),
> $&(EXCLUDE) and %&(RESTRICT) as the default values for their corresponding

I've been wondering about that myself. I wonder about config since people
might want funky config file-names. But these three are obviously going to
be potential problems. Also, other parts of the templates may need
changing, regardless of the site-scripting problem.


To unsubscribe from the htdig3-dev mailing list, send a message to
You will receive a message to confirm this.

This archive was generated by hypermail 2b28 : Tue Feb 15 2000 - 14:56:22 PST