2817400f77ca691cedbc23df32154f00c0a4a77f
galt
  Wed Aug 17 22:14:46 2016 -0700
This commit refs #17815, #17782. Addressing XSS issues in warn and errAbort via new htmlSafef and encoding for several cases including html, attribrute, css, js, url or none. Encoding approach is based on OWASP recommendations.

diff --git src/hg/hgTracks/hgTracks.c src/hg/hgTracks/hgTracks.c
index af59149..dde1019 100644
--- src/hg/hgTracks/hgTracks.c
+++ src/hg/hgTracks/hgTracks.c
@@ -9649,20 +9649,20 @@
 hPrintf("</script>\n");
 
 boolean gotExtTools = extToolsEnabled();
 setupHotkeys(gotExtTools);
 if (gotExtTools)
     printExtMenuData();
 
 if (measureTiming)
     measureTime("Time at end of doMiddle, next up cart write");
 
 if (cartOptionalString(cart, "udcTimeout"))
     {
     warn("The Genome Browser cart currently includes the \"udcTimeout\" string. "
 	"While this is useful for debugging hubs, it may negatively impact "
 	"performance.   To clear this variable, click "
-	"<A HREF=hgTracks?hgsid=%s&udcTimeout=[]>here</A>.",cartSessionId(cart));
+	"<A HREF='hgTracks?hgsid=%s|url|&udcTimeout=[]'>here</A>.",cartSessionId(cart));
     }
 
 }