9e14ec0edafe9e5e6adb8ffd81ecad25e7864114
galt
  Thu Aug 2 17:21:09 2018 -0700
fixes #21842. Adds CSP anti-XSS protection to hgMirror.

diff --git src/hg/pyLib/hgLib.py src/hg/pyLib/hgLib.py
index 2f70497..3234eca 100644
--- src/hg/pyLib/hgLib.py
+++ src/hg/pyLib/hgLib.py
@@ -827,31 +827,31 @@
     if temp != event:
 	warn("jsInline: javascript event %s should be given in lower-case", event)
     event = temp; 
     if not findJsEvent(event):
 	warn("jsInline: unknown javascript event %s", event)
 
 def jsOnEventById(eventName, idText, jsText):
     " Add js mapping for inline event "
     checkValidEvent(eventName)
     jsInlineF("document.getElementById('%s').on%s = function(event) {if (!event) {event=window.event}; %s};\n", idText, eventName, jsText)
 
 def jsOnEventByIdF(eventName, idText, format, *args):
     " Add js mapping for inline event with printf formatting "
     checkValidEvent(eventName)
     jsInlineF("document.getElementById('%s').on%s = function(event) {if (!event) {event=window.event}; ", idText, eventName)
-    jsInlineF(format, args)
+    jsInlineF(format, *args)
     jsInlineF("};\n")
 
 #============ END of javascript inline-separation routines ===============
 
 def cartDbLoadFromId(conn, table, cartId, oldCart):
     " Like src/hg/lib/cart.c, opens cart table and parses cart contents given a cartId of the format 123123_csctac "
     import urlparse
 
     if cartId==None:
         return {}
     cartFields = cartId.split("_")
     if len(cartFields)!=2:
         errAbort("Could not parse identifier %s for cart table %s" % (cgi.escape(cartId), table))
     idStr, secureId = cartFields