2817400f77ca691cedbc23df32154f00c0a4a77f
galt
  Wed Aug 17 22:14:46 2016 -0700
This commit refs #17815, #17782. Addressing XSS issues in warn and errAbort via new htmlSafef and encoding for several cases including html, attribrute, css, js, url or none. Encoding approach is based on OWASP recommendations.

diff --git src/hg/lib/hui.c src/hg/lib/hui.c
index a10aaec..3199854 100644
--- src/hg/lib/hui.c
+++ src/hg/lib/hui.c
@@ -5381,31 +5381,31 @@
     char varName[256];
     char altLabel[256];
     safef(varName, sizeof(varName), "%s%s", scoreName, _BY_RANGE);
     boolean filterByRange = trackDbSettingClosestToHomeOn(tdb, varName);
     // NOTE: could determine isFloat = (strchr(setting,'.') != NULL);
     //       However, historical trackDb settings of pValueFilter did not always contain '.'
     if (isFloat)
         {
         double minLimit=NO_VALUE,maxLimit=NO_VALUE;
         double minVal=minLimit,maxVal=maxLimit;
         colonPairToDoubles(setting,&minVal,&maxVal);
         getScoreFloatRangeFromCart(cart,tdb,parentLevel,scoreName,&minLimit,&maxLimit,
                                                                   &minVal,  &maxVal);
         safef(varName, sizeof(varName), "%s.%s%s", name, scoreName, _MIN);
         safef(altLabel, sizeof(altLabel), "%s%s", (filterByRange ? "Minimum " : ""),
-              htmlEncodeText(htmlTextStripTags(label),FALSE));
+              htmlEncode(htmlTextStripTags(label)));
         cgiMakeDoubleVarWithLimits(varName,minVal, altLabel, 0,minLimit, maxLimit);
         if (filterByRange)
             {
             printf("<TD align='left'>to<TD align='left'>");
             safef(varName, sizeof(varName), "%s.%s%s", name, scoreName, _MAX);
             safef(altLabel, sizeof(altLabel), "%s%s", (filterByRange?"Maximum ":""), label);
             cgiMakeDoubleVarWithLimits(varName,maxVal, altLabel, 0,minLimit, maxLimit);
             }
         safef(altLabel, sizeof(altLabel), "%s", (filterByRange?"": "colspan=3"));
         if (minLimit != NO_VALUE && maxLimit != NO_VALUE)
             printf("<TD align='left'%s> (%g to %g)",altLabel,minLimit, maxLimit);
         else if (minLimit != NO_VALUE)
             printf("<TD align='left'%s> (minimum %g)",altLabel,minLimit);
         else if (maxLimit != NO_VALUE)
             printf("<TD align='left'%s> (maximum %g)",altLabel,maxLimit);
@@ -8085,49 +8085,49 @@
     webPrintLinkCellEnd();
     }
 sqlFreeResult(&sr);
 webPrintLinkTableEnd();
 printf("Total: %d\n", count);
 }
 
 boolean printPennantIconNote(struct trackDb *tdb)
 // Returns TRUE and prints out the "pennantIcon" and note when found.
 //This is used by hgTrackUi and hgc before printing out trackDb "html"
 {
 char * setting = trackDbSetting(tdb, "pennantIcon");
 if (setting != NULL)
     {
     setting = cloneString(setting);
-    char *icon = htmlEncodeText(nextWord(&setting),FALSE);
+    char *icon = htmlEncode(nextWord(&setting));
     char buffer[4096];
     char *src = NULL;
     
     if (startsWith("http://", icon) || startsWith("ftp://", icon) ||
         startsWith("https://", icon))
         src = icon;
     else
         {
         safef(buffer, sizeof buffer, "../images/%s", icon);
         src = buffer;
         }
 
     char *url = NULL;
     if (setting != NULL)
 	url = nextWord(&setting);
     char *hint = NULL;
     if (setting != NULL)
-	hint = htmlEncodeText(stripEnclosingDoubleQuotes(setting),FALSE);
+	hint = htmlEncode(stripEnclosingDoubleQuotes(setting));
 
     if (!isEmpty(url))
         {
 	if (isEmpty(hint))
 	    printf("<P><a href='%s' TARGET=ucscHelp><img height='16' width='16' "
 		   "src='%s'></a>",url,src);
 	else
 	    {
 	    printf("<P><a title='%s' href='%s' TARGET=ucscHelp><img height='16' width='16' "
 		   "src='%s'></a>",hint,url,src);
 
 	    // Special case for liftOver from hg17 or hg18, but this should probably be generalized.
 	    if (sameString(icon,"18.jpg") && startsWithWord("lifted",hint))
 		printf("&nbsp;Note: these data have been converted via liftOver from the Mar. 2006 "
 		       "(NCBI36/hg18) version of the track.");
@@ -8144,46 +8144,46 @@
     return TRUE;
     }
 return FALSE;
 }
 
 boolean hPrintPennantIcon(struct trackDb *tdb)
 // Returns TRUE and prints out the "pennantIcon" when found.
 // Example: ENCODE tracks in hgTracks config list.
 {
 char *setting = trackDbSetting(tdb, "pennantIcon");
 if (setting != NULL)
     {
     setting = cloneString(setting);
     char buffer[4096];
     char *src = NULL;
-    char *icon = htmlEncodeText(nextWord(&setting),FALSE);
+    char *icon = htmlEncode(nextWord(&setting));
     if (startsWith("http://", icon) || startsWith("ftp://", icon) ||
         startsWith("https://", icon))
         src = icon;
     else
         {
         safef(buffer, sizeof buffer, "../images/%s", icon);
         src = buffer;
         }
 
     if (setting)
         {
         char *url = nextWord(&setting);
         if (setting)
             {
-            char *hint = htmlEncodeText(stripEnclosingDoubleQuotes(setting),FALSE);
+            char *hint = htmlEncode(stripEnclosingDoubleQuotes(setting));
             hPrintf("<a title='%s' href='%s' TARGET=ucscHelp><img height='16' width='16' "
                     "src='%s'></a>\n",hint,url,src);
             freeMem(hint);
             }
         else
             hPrintf("<a href='%s' TARGET=ucscHelp><img height='16' width='16' "
                     "src='%s'></a>\n",url,src);
         }
     else
         hPrintf("<img height='16' width='16' src='%s'>\n",icon);
     freeMem(icon);
     return TRUE;
     }
 else if (trackDbSetting(tdb, "wgEncode") != NULL)
     {