2817400f77ca691cedbc23df32154f00c0a4a77f
galt
  Wed Aug 17 22:14:46 2016 -0700
This commit refs #17815, #17782. Addressing XSS issues in warn and errAbort via new htmlSafef and encoding for several cases including html, attribrute, css, js, url or none. Encoding approach is based on OWASP recommendations.

diff --git src/hg/lib/cartJson.c src/hg/lib/cartJson.c
index 2b2db48..38b214a 100644
--- src/hg/lib/cartJson.c
+++ src/hg/lib/cartJson.c
@@ -106,31 +106,31 @@
 		jsonWriteString(jw, "position", pos->name);
 	    // this is magic to tell the browser to make the
 	    // composite and this subTrack visible
 	    if (tdb->parent)
 		{
 		if (tdbIsSuperTrackChild(tdb))
 		    jsonWriteStringf(jw, "extraSel", "%s=show&", tdb->parent->track);
 		else
 		    {
 		    // tdb is a subtrack of a composite or a view
 		    jsonWriteStringf(jw, "extraSel", "%s_sel=1&%s_sel=1&",
 				     trackName, tdb->parent->track);
 		    }
 		}
 	    jsonWriteString(jw, "hgFindMatches", encMatches);
-	    jsonWriteString(jw, "posName", htmlEncodeText(pos->name, FALSE));
+	    jsonWriteString(jw, "posName", htmlEncode(pos->name));
 	    if (pos->description)
 		{
 		stripString(pos->description, "\n");
 		jsonWriteString(jw, "description", stripAnchor(pos->description));
 		}
 	    jsonWriteObjectEnd(jw); // end one match
 	    }
 	jsonWriteListEnd(jw); // end matches
 	jsonWriteObjectEnd(jw); // end one table
 	}
     }
     jsonWriteListEnd(jw); // end positionMatches
 }
 
 static struct hgPositions *genomePosCJ(struct jsonWrite *jw,