Re: [htdig3-dev] Use of & as CGI variable separator vs. HTML 4.0


Subject: Re: [htdig3-dev] Use of & as CGI variable separator vs. HTML 4.0
From: Geoff Hutchison (ghutchis@wso.williams.edu)
Date: Tue Feb 15 2000 - 14:53:33 PST


On Tue, 15 Feb 2000, Gilles Detillieux wrote:

> Hi, folks. After thinking about some recent messages expressing
> concern about htsearch's compliance with HTML 4.0, and its potential
> vulnerability to cross-site scripting, I've decided there are a couple
> things worth doing.

I think these are worth doing, but I'd also like to see if we can come up
with a potential exploit with this, if only to gauge the severity of the
problem.

> Following that discussion, there were some references to RFCs 1738 &
> 2396, and recommendations about how URL parameters should be encoded.

Yeah, I think I need to gather a bunch of useful RFCs and put them on
dev.htdig.org. This would, at least, make it easier to read them.

> If not, I'll adapt it for 3.2 as well. Maybe the unreserved list should
> go right in URL.h, as the default for encodeURL(). Any preferences

When we first started 3.2, I knew that URL.h and URL.cc needed a lot of
work. I set aside both the reserved and unreserved lists to do this and
started in on some of the revisions to URL.cc with every intention of
doing the encoding issues. Of course, I got sidetracked.

I think it should go in URL.h.

> I think we'll also want to change all the default follow-up search forms
> (nomatch.html, syntax.html, header.html, wrapper.html) to use $&(WORDS),
> $&(EXCLUDE) and %&(RESTRICT) as the default values for their corresponding

I've been wondering about that myself. I wonder about config since people
might want funky config file-names. But these three are obviously going to
be potential problems. Also, other parts of the templates may need
changing, regardless of the site-scripting problem.

-Geoff

------------------------------------
To unsubscribe from the htdig3-dev mailing list, send a message to
htdig3-dev-unsubscribe@htdig.org
You will receive a message to confirm this.



This archive was generated by hypermail 2b28 : Tue Feb 15 2000 - 14:56:22 PST