src/lib/cheapcgi.c 86516ebc28dc4b6c7c96067e66469308880d7502

86516ebc28dc4b6c7c96067e66469308880d7502
galt
  Wed Sep 21 12:55:16 2016 -0700
Fixes XSS problem found in hgVisiGene. refs #17782.

diff --git src/lib/cheapcgi.c src/lib/cheapcgi.c
index 0a7954d..f90dc11 100644
--- src/lib/cheapcgi.c
+++ src/lib/cheapcgi.c
@@ -1565,66 +1565,66 @@
        rowCount, columnCount, disabled ? "DISABLED" : "",
        (initialVal != NULL ? initialVal : ""));
 }
 
 void cgiMakeOnKeypressTextVar(char *varName, char *initialVal, int charSize,
 			      char *script)
 /* Make a text control filled with initial value, with a (java)script
  * to execute every time a key is pressed.  If charSize is zero it's
  * calculated from initialVal size. */
 {
 if (initialVal == NULL)
     initialVal = "";
 if (charSize == 0) charSize = strlen(initialVal);
 if (charSize == 0) charSize = 8;
 
-printf("<INPUT TYPE=TEXT NAME=\"%s\" SIZE=%d VALUE=\"%s\"", varName,
+htmlPrintf("<INPUT TYPE=TEXT NAME='%s|attr|' SIZE=%d VALUE='%s'", varName,
         charSize, initialVal);
 if (isNotEmpty(script))
-    printf(" onkeypress=\"%s\"", script);
+    printf(" onkeypress='%s'", script);
 printf(">\n");
 }
 
 void cgiMakeTextVar(char *varName, char *initialVal, int charSize)
 /* Make a text control filled with initial value.  If charSize
  * is zero it's calculated from initialVal size. */
 {
 cgiMakeOnKeypressTextVar(varName, initialVal, charSize, NULL);
 }
 
 void cgiMakeTextVarWithExtraHtml(char *varName, char *initialVal, int width, char *extra)
 /* Make a text control filled with initial value. */
 {
 if (initialVal == NULL)
     initialVal = "";
 if (width==0)
     width=strlen(initialVal)*10;
 if (width==0)
     width = 100;
 
-printf("<INPUT TYPE=TEXT class='inputBox' NAME=\"%s\" style='width: %dpx' VALUE=\"%s\"",
+htmlPrintf("<INPUT TYPE=TEXT class='inputBox' NAME='%s|attr|' style='width:%dpx' VALUE='%s'",
        varName, width, initialVal);
 if (isNotEmpty(extra))
     printf(" %s",extra);
 printf(">\n");
 }
 
 void cgiMakeIntVarWithExtra(char *varName, int initialVal, int maxDigits, char *extra)
 /* Make a text control filled with initial value and optional extra HTML.  */
 {
 if (maxDigits == 0) maxDigits = 4;
-printf("<INPUT TYPE=TEXT NAME=\"%s\" SIZE=%d VALUE=%d %s>", 
+htmlPrintf("<INPUT TYPE=TEXT NAME=\"%s\" SIZE=%d VALUE=%d %s>", 
                 varName, maxDigits, initialVal, extra ? extra : "");
 }
 
 void cgiMakeIntVar(char *varName, int initialVal, int maxDigits)
 /* Make a text control filled with initial value.  */
 {
 cgiMakeIntVarWithExtra(varName, initialVal, maxDigits, NULL);
 }
 
 void cgiMakeIntVarInRange(char *varName, int initialVal, char *title, int width,
                           char *min, char *max)
 /* Make a integer control filled with initial value.
    If min and/or max are non-NULL will enforce range
    Requires utils.js jQuery.js and inputBox class */
 {