3c336b221ead841fd5504ce0652874f5901e979c
jcasper
  Thu Mar 10 20:12:17 2022 -0800
Fixing a couple of injection vulnerabilities, refs #29086

diff --git src/hg/hgPublicSessions/hgPublicSessions.c src/hg/hgPublicSessions/hgPublicSessions.c
index c93917d..9565939 100644
--- src/hg/hgPublicSessions/hgPublicSessions.c
+++ src/hg/hgPublicSessions/hgPublicSessions.c
@@ -209,57 +209,58 @@
 jsOnEventById("change", "sortMethod", "changeSort();");
 printf ("<table id=\"sessionTable\" class=\"sessionTable stripe hover row-border compact\" width=\"100%%\">\n"
     "    <thead>"
     "        <tr>"
     "            <th>Screenshot</th>\n"
     "            <th>Session Properties</th>\n"
     "            <th>Creation Date</th>\n"
     "            <th>Use Count</th>\n"
     "        </tr>\n"
     "    </thead>\n");
 
 printf ("<tbody>\n");
 
 while (thisSession != NULL)
     {
-    char *settingString = NULL;
+    char *descriptionString = NULL;
     printf ("\t<tr>\n");
     if (isNotEmpty(thisSession->imgUri))
         {
         printf ("\t\t<td><a target=_blank href=\"../cgi-bin/hgTracks?%s\">",
             dyStringContents(thisSession->sessionUrl));
         printf ("<img src=\"%s\" class=\"sessionThumbnail\"></a></td>\n", thisSession->imgUri);
         }
     else
         {
         printf ("\t\t<td><center><nobr>Screenshot not available</nobr><br>\n");
         printf ("\t\t<a target=_blank href=\"../cgi-bin/hgTracks?%s\">Click Here</a> to view</center></td>\n",
             dyStringContents(thisSession->sessionUrl));
         }
 
     struct hash *settingsHash = raFromString(thisSession->settings);
-    settingString = (char*) hashFindVal(settingsHash, "description");
-    if (settingString == NULL)
-        settingString = "";
+    descriptionString = (char*) hashFindVal(settingsHash, "description");
+    if (descriptionString == NULL)
+        descriptionString = "";
     else
         {
-        settingString = replaceChars(settingString, "\\\\", "\\__ESC__");
-        settingString = replaceChars(settingString, "\\r", "\r");
-        settingString = replaceChars(settingString, "\\n", "\n");
-        settingString = replaceChars(settingString, "\\__ESC__", "\\");
+        descriptionString = replaceChars(descriptionString, "\\\\", "\\__ESC__");
+        descriptionString = replaceChars(descriptionString, "\\r", "\r");
+        descriptionString = replaceChars(descriptionString, "\\n", "\n");
+        descriptionString = replaceChars(descriptionString, "\\__ESC__", "\\");
         }
-    printf ("\t\t<td><b>Description:</b> %s<br>\n", settingString);
+    char *safeDescription = htmlEncode(descriptionString);
+    printf ("\t\t<td><b>Description:</b> %s<br>\n", safeDescription);
     printf ("\t\t<b>Author:</b> %s<br>\n", thisSession->userName);
     printf ("\t\t<b>Session Name:</b> %s<br>\n", thisSession->sessionName);
     printf ("\t\t<b>Genome Assembly:</b> %s<br>\n", thisSession->db);
     printf ("\t\t<b>Creation Date:</b> %s<br>\n", thisSession->firstUse);
     printf ("\t\t<b>Views:</b> %ld\n", thisSession->useCount);
     printf ("\t\t</td>\n");
     struct tm creationDate;
     ZeroVar(&creationDate);
     strptime(thisSession->firstUse, "%Y-%m-%d %T", &creationDate);
     /* Hidden columns */
     printf ("\t\t<td>%ld</td>\n", mktime(&creationDate));
     printf ("\t\t<td>%ld</td>\n", thisSession->useCount);
     printf ("\t</tr>\n");
     thisSession = thisSession->next;
     }