src/lib/htmshell.c 9ea546d042a47947ff825f973f0048dfdfe36496

9ea546d042a47947ff825f973f0048dfdfe36496
galt
  Fri Jan 5 17:51:24 2018 -0800
Fixing charset encoding, since utf-8 is not needed and iso-8859-1 is our standard. Also cleaned up some comments.

diff --git src/lib/htmshell.c src/lib/htmshell.c
index da213f2..f42d26d 100644
--- src/lib/htmshell.c
+++ src/lib/htmshell.c
@@ -694,62 +694,61 @@
 /* Log useful CGI info to stderr */
 logCgiToStderr();
 
 /* write warning/error message to stderr so they get logged. */
 vfprintf(stderr, format, argscp);
 fprintf(stderr, "\n");
 fflush(stderr);
 va_end(argscp);
 }
 
 void htmlVaBadRequestAbort(char *format, va_list args)
 /* Print out an HTTP header 400 status code (Bad Request) and message,
  * then exit with error.  For use as an errAbort handler. */
 {
 puts("Status: 400\r");
-puts("Content-Type: text/plain; charset=UTF-8\r");
+puts("Content-Type: text/plain; charset=iso-8859-1\r");
 puts("\r");
 if (format != NULL)
     {
     vfprintf(stdout, format, args);
     fprintf(stdout, "\n");
     }
 exit(-1);
 }
 
 void htmlAbort()
 /* Terminate HTML file. */
 {
 longjmp(htmlRecover, -1);
 }
 
 void htmlMemDeath()
 {
 errAbort("Out of memory.");
 }
 
 static void earlyWarningHandler(char *format, va_list args)
 /* Write an error message so user can see it before page is really started. */
 {
 static boolean initted = FALSE;
 if (!initted && !errorsNoHeader)
     {
     htmlStart("Very Early Error");
     initted = TRUE;
     }
 printf("%s", htmlWarnStartPattern());
-// old way htmlVaParagraph(format,args); cannot use without XSS-protections
 fputs("<P>", stdout);
 htmlVaEncodeErrorText(format,args);
 fputs("</P>\n", stdout);
 printf("%s", htmlWarnEndPattern());
 }
 
 static void earlyAbortHandler()
 /* Exit close web page during early abort. */
 {
 printf("</BODY></HTML>");
 exit(0);
 }
 
 void htmlPushEarlyHandlers()
 /* Push stuff to close out web page to make sensible error
@@ -1067,31 +1066,31 @@
 #else///ifndef TOO_TIMID_FOR_CURRENT_HTML_STANDARDS
     char *browserVersion;
     if (btIE == cgiClientBrowser(&browserVersion, NULL, NULL) && *browserVersion < '8')
         fputs("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n", f);
     else
         fputs("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" "
               "\"http://www.w3.org/TR/html4/loose.dtd\">\n",f);
     // Strict would be nice since it fixes atleast one IE problem (use of :hover CSS pseudoclass)
 #endif///ndef TOO_TIMID_FOR_CURRENT_HTML_STANDARDS
     }
 fputs("<HTML>\n", f);
 fputs("<HEAD>\n", f);
 // CSP header
 generateCspMetaHeader(f);
 
-fputs(head, f); // TODO "head" var. not XSS safe
+fputs(head, f);
 htmlFprintf(f,"<TITLE>%s</TITLE>\n", title); 
 if (endsWith(title,"Login - UCSC Genome Browser")) 
     fprintf(f,"\t<META HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html;CHARSET=iso-8859-1\">\n");
 fprintf(f, "\t<META http-equiv=\"Content-Script-Type\" content=\"text/javascript\">\n");
 if (htmlStyle != NULL)
     fputs(htmlStyle, f);
 if (htmlStyleSheet != NULL)
     fprintf(f,"<link href=\"%s\" rel=\"stylesheet\" type=\"text/css\">\n", htmlStyleSheet);
 if (htmlStyleTheme != NULL)
     fputs(htmlStyleTheme, f);
 
 fputs("</HEAD>\n\n",f);
 printBodyTag(f);
 htmlWarnBoxSetup(f);
 }