20f2023e247107b60531978989c912942d5aac65
galt
  Thu Aug 11 14:08:28 2016 -0700
Revert "Reverting this line because it seems to cause unnecessary double-encoding of the error message."

This reverts commit f52636fabd76fcf998604f16d815cf606d52c758.

diff --git src/lib/htmshell.c src/lib/htmshell.c
index c929fed..ab6e292 100644
--- src/lib/htmshell.c
+++ src/lib/htmshell.c
@@ -293,31 +293,31 @@
             "var endOfPage = document.body.innerHTML.substr(document.body.innerHTML.length-20);"
             "if(endOfPage.lastIndexOf('-- ERROR --') > 0) { history.back(); }"
           "}\n"); // Note OK button goes to prev page when this page is interrupted by the error.
 fprintf(f,"window.onunload = function(){}; // Trick to avoid FF back button issue.\n");
 fprintf(f,"</script>\n");
 }
 
 void htmlVaWarn(char *format, va_list args)
 /* Write an error message. */
 {
 va_list argscp;
 va_copy(argscp, args);
 htmlWarnBoxSetup(stdout); // sets up the warnBox if it hasn't already been done.
 char warning[1024];
 vsnprintf(warning,sizeof(warning),format, args);
-char *encodedMessage = htmlEncodeText(warning,TRUE); // NOTE: While some internal HTML should work,
+char *encodedMessage = htmlEncodeText(warning,FALSE); // NO tags allowed to prevent XSS hacks
                                                      // a single quote (') will will screw it up!
 printf("<script type='text/javascript'>{showWarnBox();"
         "var warnList=document.getElementById('warnList');"
         "warnList.innerHTML += '<li>%s</li>';}</script><!-- ERROR -->\n",encodedMessage); 
                                      // NOTE that "--ERROR --" is needed at the end of this print!!
 freeMem(encodedMessage);
 
 /* Log useful CGI info to stderr */
 logCgiToStderr();
 
 /* write warning/error message to stderr so they get logged. */
 vfprintf(stderr, format, argscp);
 va_end(argscp);
 fflush(stderr);
 }