4080635571d545e38ec5d6d363bac9c5c9e8bd42
galt
Mon Oct 3 14:46:49 2016 -0700
Refs #17782. html encode title for some codepaths in htmshell.c.
diff --git src/lib/htmshell.c src/lib/htmshell.c
index 1b07e49..9bfe1ad 100644
--- src/lib/htmshell.c
+++ src/lib/htmshell.c
@@ -884,31 +884,31 @@
{
//#define TOO_TIMID_FOR_CURRENT_HTML_STANDARDS
#ifdef TOO_TIMID_FOR_CURRENT_HTML_STANDARDS
fputs("\n", f);
#else///ifndef TOO_TIMID_FOR_CURRENT_HTML_STANDARDS
char *browserVersion;
if (btIE == cgiClientBrowser(&browserVersion, NULL, NULL) && *browserVersion < '8')
fputs("\n", f);
else
fputs("\n",f);
// Strict would be nice since it fixes atleast one IE problem (use of :hover CSS pseudoclass)
#endif///ndef TOO_TIMID_FOR_CURRENT_HTML_STANDARDS
}
fputs("", f);
-fprintf(f,"\n%s%s\n", head, title);
+htmlFprintf(f,"\n%s|none|%s\n", head, title); // TODO "head" var. not XSS safe
if (endsWith(title,"Login - UCSC Genome Browser"))
fprintf(f,"\t\n");
fprintf(f, "\t\n");
if (htmlStyle != NULL)
fputs(htmlStyle, f);
if (htmlStyleSheet != NULL)
fprintf(f,"\n", htmlStyleSheet);
if (htmlStyleTheme != NULL)
fputs(htmlStyleTheme, f);
fputs("\n\n",f);
printBodyTag(f);
htmlWarnBoxSetup(f);
}