2088631197bdc3d5cd878dc3fe923aacde1f6b08
braney
  Thu Nov 10 14:31:49 2016 -0800
fix problem introduced by XSS changes

diff --git src/hg/lib/hui.c src/hg/lib/hui.c
index 3cb1819..700f0ac 100644
--- src/hg/lib/hui.c
+++ src/hg/lib/hui.c
@@ -8130,41 +8130,41 @@
     webPrintLinkCellEnd();
     }
 sqlFreeResult(&sr);
 webPrintLinkTableEnd();
 printf("Total: %d\n", count);
 }
 
 boolean printPennantIconNote(struct trackDb *tdb)
 // Returns TRUE and prints out the "pennantIcon" and note when found.
 //This is used by hgTrackUi and hgc before printing out trackDb "html"
 {
 char * setting = trackDbSetting(tdb, "pennantIcon");
 if (setting != NULL)
     {
     setting = cloneString(setting);
-    char *icon = htmlEncode(nextWord(&setting));
+    char *icon = nextWord(&setting);
     char buffer[4096];
     char *src = NULL;
     
     if (startsWith("http://", icon) || startsWith("ftp://", icon) ||
         startsWith("https://", icon))
-        src = icon;
+        src = htmlEncode(icon);
     else
         {
         safef(buffer, sizeof buffer, "../images/%s", icon);
-        src = buffer;
+        src = htmlEncode(buffer);
         }
 
     char *url = NULL;
     if (setting != NULL)
 	url = nextWord(&setting);
     char *hint = NULL;
     if (setting != NULL)
 	hint = htmlEncode(stripEnclosingDoubleQuotes(setting));
 
     if (!isEmpty(url))
         {
 	if (isEmpty(hint))
 	    printf("<P><a href='%s' TARGET=ucscHelp><img height='16' width='16' "
 		   "src='%s'></a>",url,src);
 	else
@@ -8189,38 +8189,38 @@
     return TRUE;
     }
 return FALSE;
 }
 
 boolean hPrintPennantIcon(struct trackDb *tdb)
 // Returns TRUE and prints out the "pennantIcon" when found.
 // Example: ENCODE tracks in hgTracks config list.
 {
 char *setting = trackDbSetting(tdb, "pennantIcon");
 if (setting != NULL)
     {
     setting = cloneString(setting);
     char buffer[4096];
     char *src = NULL;
-    char *icon = htmlEncode(nextWord(&setting));
+    char *icon = nextWord(&setting);
     if (startsWith("http://", icon) || startsWith("ftp://", icon) ||
         startsWith("https://", icon))
-        src = icon;
+        src = htmlEncode(icon);
     else
         {
         safef(buffer, sizeof buffer, "../images/%s", icon);
-        src = buffer;
+        src = htmlEncode(buffer);
         }
 
     if (setting)
         {
         char *url = nextWord(&setting);
         if (setting)
             {
             char *hint = htmlEncode(stripEnclosingDoubleQuotes(setting));
             hPrintf("<a title='%s' href='%s' TARGET=ucscHelp><img height='16' width='16' "
                     "src='%s'></a>\n",hint,url,src);
             freeMem(hint);
             }
         else
             hPrintf("<a href='%s' TARGET=ucscHelp><img height='16' width='16' "
                     "src='%s'></a>\n",url,src);