htdig suffers from a cross site scripting flaw as found by Michael Krax. Looks like this one is different to the last and isn't based on bad templates. The flaw doesn't seem to affect the htdig on htdig.org although there is no patch in CVS, so maybe they applied a quick patch themselves.
Created attachment 49640 [details, diff] htdig-3.2.0b6-unescaped_output.patch
Apparently parts of it leaked (see bug 80602). Asking for confirmation on v-s that it should be considered public.
*** This bug has been marked as a duplicate of 80602 ***