4aa7141dedea619f3bc7d42316f886bcfd554349
galt
  Thu Jul 28 20:30:09 2016 -0700
Finishing touches on html-encoding of errors for warn/abort when using html output.

diff --git src/lib/htmshell.c src/lib/htmshell.c
index c929fed..00d872b 100644
--- src/lib/htmshell.c
+++ src/lib/htmshell.c
@@ -293,31 +293,31 @@
             "var endOfPage = document.body.innerHTML.substr(document.body.innerHTML.length-20);"
             "if(endOfPage.lastIndexOf('-- ERROR --') > 0) { history.back(); }"
           "}\n"); // Note OK button goes to prev page when this page is interrupted by the error.
 fprintf(f,"window.onunload = function(){}; // Trick to avoid FF back button issue.\n");
 fprintf(f,"</script>\n");
 }
 
 void htmlVaWarn(char *format, va_list args)
 /* Write an error message. */
 {
 va_list argscp;
 va_copy(argscp, args);
 htmlWarnBoxSetup(stdout); // sets up the warnBox if it hasn't already been done.
 char warning[1024];
 vsnprintf(warning,sizeof(warning),format, args);
-char *encodedMessage = htmlEncodeText(warning,TRUE); // NOTE: While some internal HTML should work,
+char *encodedMessage = htmlEncodeText(warning,FALSE); // Encrypt tags to fight XSS
                                                      // a single quote (') will will screw it up!
 printf("<script type='text/javascript'>{showWarnBox();"
         "var warnList=document.getElementById('warnList');"
         "warnList.innerHTML += '<li>%s</li>';}</script><!-- ERROR -->\n",encodedMessage); 
                                      // NOTE that "--ERROR --" is needed at the end of this print!!
 freeMem(encodedMessage);
 
 /* Log useful CGI info to stderr */
 logCgiToStderr();
 
 /* write warning/error message to stderr so they get logged. */
 vfprintf(stderr, format, argscp);
 va_end(argscp);
 fflush(stderr);
 }