2817400f77ca691cedbc23df32154f00c0a4a77f
galt
Wed Aug 17 22:14:46 2016 -0700
This commit refs #17815, #17782. Addressing XSS issues in warn and errAbort via new htmlSafef and encoding for several cases including html, attribrute, css, js, url or none. Encoding approach is based on OWASP recommendations.
diff --git src/hg/hgTables/identifiers.c src/hg/hgTables/identifiers.c
index 4a4e160..1d85edc 100644
--- src/hg/hgTables/identifiers.c
+++ src/hg/hgTables/identifiers.c
@@ -481,47 +481,47 @@
struct tempName tn;
trashDirFile(&tn, "hgt/missingIds", cartSessionId(cart), ".tmp");
FILE *f = mustOpen(tn.forCgi, "w");
int exampleCount = 0;
for (term = missingTerms; term != NULL; term = term->next)
{
if (exampleCount < 10)
{
++exampleCount;
dyStringPrintf(exampleMissingIds, "%s\n", term->name);
}
fprintf(f, "%s\n", term->name);
}
carefulClose(&f);
- dyStringPrintf(exampleMissingIds, "\nComplete list of missing identifiers\n", tn.forHtml);
-
warn("Note: %d of the %d given identifiers have no match in "
"table %s, field %s%s%s%s%s. "
"Try the \"describe table schema\" button for more "
"information about the table and field.\n"
"%d %smissing identifier(s):\n"
- "%s\n",
+ "%s\n"
+ "Complete list of missing identifiers\n",
(totalTerms - foundTerms), totalTerms,
curTable, idField,
(xrefTable ? (xrefIsSame ? "" : " or in alias table ") : ""),
(xrefTable ? (xrefIsSame ? "" : xrefTable) : ""),
(xrefTable ? (xrefIsSame ? " or in field " : ", field ") : ""),
(xrefTable ? aliasField : ""),
exampleCount,
exampleCount < missingCount ? "example " : "",
- exampleMissingIds->string
+ exampleMissingIds->string,
+ tn.forHtml
);
webNewSection("Table Browser");
}
lmCleanup(&lm);
hashFree(&matchHash);
}
else
{
cartRemove(cart, hgtaIdentifierFile);
}
mainPageAfterOpen(conn);
htmlClose();
}
char *identifierFileName()