817a4491709c2168643fab6b3fc342531dcbbec9
galt
  Fri Sep 30 13:47:59 2016 -0700
Fixes Very Early Warning html handler to encode printf parameters. Fixes #18162.

diff --git src/lib/htmshell.c src/lib/htmshell.c
index 9afc9cd..894646c 100644
--- src/lib/htmshell.c
+++ src/lib/htmshell.c
@@ -713,31 +713,34 @@
 void htmlMemDeath()
 {
 errAbort("Out of memory.");
 }
 
 static void earlyWarningHandler(char *format, va_list args)
 /* Write an error message so user can see it before page is really started. */
 {
 static boolean initted = FALSE;
 if (!initted && !errorsNoHeader)
     {
     htmlStart("Very Early Error");
     initted = TRUE;
     }
 printf("%s", htmlWarnStartPattern());
-htmlVaParagraph(format,args);
+// old way htmlVaParagraph(format,args); cannot use without XSS-protections
+fputs("<P>", stdout);
+htmlVaEncodeErrorText(format,args);
+fputs("</P>\n", stdout);
 printf("%s", htmlWarnEndPattern());
 }
 
 static void earlyAbortHandler()
 /* Exit close web page during early abort. */
 {
 printf("</BODY></HTML>");
 exit(0);
 }
 
 void htmlPushEarlyHandlers()
 /* Push stuff to close out web page to make sensible error
  * message during initialization. */
 {
 pushWarnHandler(earlyWarningHandler);