febe3b4030b731590c83b2843306f52b28ab792b
galt
  Tue Aug 30 12:13:27 2016 -0700
Improving comment accuracy, thanks Brian.

diff --git src/lib/htmshell.c src/lib/htmshell.c
index a5be6ca..d227321 100644
--- src/lib/htmshell.c
+++ src/lib/htmshell.c
@@ -215,32 +215,32 @@
 strSwapStrs(cleanQuote, size,"\n","<BR>" ); // use BR tag for new lines
 if (cgiClientBrowser(NULL,NULL,NULL) == btFF) // Firefox
     strSwapStrs(cleanQuote, size, "&#124;", "<BR>"); // replace with BR tag
 else
     strSwapStrs(cleanQuote, size, "&#x0A;", "<BR>"); // replace with BR tag
 
 return cleanQuote;
 }
 
 
 
 int htmlEncodeTextExtended(char *s, char *out, int outSize)
 /* Replaces required punctuation characters with html entities to fight XSS. 
  * out result must be large enough to receive the encoded string.
  * Returns size of encoded string or -1 if output larger than outSize. 
- * Pass in NULL for out to just get the final encoded size. 
- * Pass in 0 for outSize to find the size of the final string.
+ * To just get the final encoded size, pass in NULL for out and 0 for outSize. 
+ * To output without checking sizes, pass in non-NULL for out and 0 for outSize. 
  */
 {
 boolean FF = FALSE;
 if (cgiClientBrowser(NULL,NULL,NULL) == btFF)
     FF = TRUE;
 int total = 0;
 char c = 0;
 do
     {
     c=*s++;
     int size = 1;
     char *newString = NULL; 
     if (c == '&') { size = 5; newString = "&amp;"; } // '&' start a control char
     if (c == '>') { size = 4; newString = "&gt;" ; } // '>' close of tag
     if (c == '<') { size = 4; newString = "&lt;" ; } // '<' open  of tag
@@ -288,32 +288,32 @@
    This differs from cgiEncode as it handles text that will
    be displayed in an html page or tooltip style title.  */
 {
 int size = htmlEncodeTextSize(s);
 char *out = needMem(size+1);
 htmlEncodeTextExtended(s, out, size+1);
 return out;
 }
 
 int nonAlphaNumericHexEncodeTextExtended(char *s, char *out, int outSize, 
    char *prefix, char *postfix, int encodedSize)
 /* For html tag attributes, it replaces non-alphanumeric characters
  * with <prefix>HH<postfix> hex codes to fight XSS.
  * out result must be large enough to receive the encoded string.
  * Returns size of encoded string or -1 if output larger than outSize. 
- * Pass in NULL for out to just get the final encoded size. 
- * Pass in 0 for outSize to find the size of the final string.
+ * To just get the final encoded size, pass in NULL for out and 0 for outSize. 
+ * To output without checking sizes, pass in non-NULL for out and 0 for outSize. 
  */
 {
 int total = 0;
 char c = 0;
 do
     {
     c=*s++;
     int size = 1;
     if (!isalnum(c)) // alpha-numeric
 	{
 	size = encodedSize;
 	}
     if (c == 0)
 	size = 1;    // do not encode the terminating 0
     if (out)
@@ -339,114 +339,114 @@
 	    while ((x = *pf++) != 0)
 		*out++ = x;
 	    }
 	}
     total += size;
     } while (c != 0);
 return total - 1; // do not count terminating 0
 }
 
 
 int attrEncodeTextExtended(char *s, char *out, int outSize)
 /* For html tag attributes, it replaces non-alphanumeric characters
  * with html entities &#xHH; to fight XSS.
  * out result must be large enough to receive the encoded string.
  * Returns size of encoded string or -1 if output larger than outSize. 
- * Pass in NULL for out to just get the final encoded size. 
- * Pass in 0 for outSize to find the size of the final string.
+ * To just get the final encoded size, pass in NULL for out and 0 for outSize. 
+ * To output without checking sizes, pass in non-NULL for out and 0 for outSize. 
  */
 {
 return nonAlphaNumericHexEncodeTextExtended(s, out, outSize, "&#x", ";", 6);
 }
 
 int attrEncodeTextSize(char *s)
 /* Returns what the encoded size will be after replacing characters with escape codes. */
 {
 return attrEncodeTextExtended(s, NULL, 0);
 }
 
 char *attributeEncode(char *s)
 /* Returns a cloned string with non-alphanumeric characters replaced by escape codes. */
 {
 int size = attrEncodeTextSize(s);
 char *out = needMem(size+1);
 attrEncodeTextExtended(s, out, size+1);
 return out;
 }
 
 
 int cssEncodeTextExtended(char *s, char *out, int outSize)
 /* For CSS, it replaces non-alphanumeric characters with "\HH " to fight XSS.
  * (Yes, the trailing space is critical.)
  * out result must be large enough to receive the encoded string.
  * Returns size of encoded string or -1 if output larger than outSize. 
- * Pass in NULL for out to just get the final encoded size. 
- * Pass in 0 for outSize to find the size of the final string.
+ * To just get the final encoded size, pass in NULL for out and 0 for outSize. 
+ * To output without checking sizes, pass in non-NULL for out and 0 for outSize. 
  */
 {
 return nonAlphaNumericHexEncodeTextExtended(s, out, outSize, "\\", " ", 4);
 }
 
 int cssEncodeTextSize(char *s)
 /* Returns what the encoded size will be after replacing characters with escape codes. */
 {
 return cssEncodeTextExtended(s, NULL, 0);
 }
 
 char *cssEncode(char *s)
 /* Returns a cloned string with non-alphanumeric characters replaced by escape codes. */
 {
 int size = cssEncodeTextSize(s);
 char *out = needMem(size+1);
 cssEncodeTextExtended(s, out, size+1);
 return out;
 }
 
 
 int javascriptEncodeTextExtended(char *s, char *out, int outSize)
 /* For javascript, it replaces non-alphanumeric characters with "\xHH" to fight XSS.
  * out result must be large enough to receive the encoded string.
  * Returns size of encoded string or -1 if output larger than outSize. 
- * Pass in NULL for out to just get the final encoded size. 
- * Pass in 0 for outSize to find the size of the final string.
+ * To just get the final encoded size, pass in NULL for out and 0 for outSize. 
+ * To output without checking sizes, pass in non-NULL for out and 0 for outSize. 
  */
 {
 return nonAlphaNumericHexEncodeTextExtended(s, out, outSize, "\\x", "", 4);
 }
 
 int javascriptEncodeTextSize(char *s)
 /* Returns what the encoded size will be after replacing characters with escape codes. */
 {
 return javascriptEncodeTextExtended(s, NULL, 0);
 }
 
 char *javascriptEncode(char *s)
 /* Returns a cloned string with non-alphanumeric characters replaced by escape codes. */
 {
 int size = javascriptEncodeTextSize(s);
 char *out = needMem(size+1);
 javascriptEncodeTextExtended(s, out, size+1);
 return out;
 }
 
 
 int urlEncodeTextExtended(char *s, char *out, int outSize)
 /* For URL parameters, it replaces non-alphanumeric characters with "%HH" to fight XSS.
  * out result must be large enough to receive the encoded string.
  * Returns size of encoded string or -1 if output larger than outSize. 
- * Pass in NULL for out to just get the final encoded size. 
- * Pass in 0 for outSize to find the size of the final string.
+ * To just get the final encoded size, pass in NULL for out and 0 for outSize. 
+ * To output without checking sizes, pass in non-NULL for out and 0 for outSize. 
  */
 {
 return nonAlphaNumericHexEncodeTextExtended(s, out, outSize, "%", "", 3);
 }
 
 int urlEncodeTextSize(char *s)
 /* Returns what the encoded size will be after replacing characters with escape codes. */
 {
 return urlEncodeTextExtended(s, NULL, 0);
 }
 
 char *urlEncode(char *s)
 /* Returns a cloned string with non-alphanumeric characters replaced by escape codes. */
 {
 int size = urlEncodeTextSize(s);