Recently, like many of you, I've had some trouble getting websites listed on the AOL owned “Open Directory Project” known as Dmoz.
After very little searching I soon discovered that the
main search function of Dmoz is vulnerable.
This means malicious users could easily place HTML code into the search form input box and manipulate the markup on the site (aka Cross Site Scripting or XSS).
Here’s a proof of concept showing how you would link to example.com with the anchor text as “Look, I made a link”:
To make this affective, you would simply need to swap out the domain and the anchor text and (in theory) you would have to link to them from various other websites for them to eventually get indexed and start passing link juice for things like PageRank.
This is not the first time that Dmoz has been subject to such a flaw, as in 2007 they were subject to a similar XSS vulnerability in their blog search.
There are many well established ways Dmoz could fix this (aside from fixing their site code) on the server but they have chosen not to. I’m not sure why.
Is there any SEO value in these type of links? It’s uncertain.
Is there a security risk? Yes, definitely.
Will Dmoz pull their finger out or is he dead, jim?
Note: Dmoz Staff were unavailable for comment at time of publication (email address was unreachable).