fba8a467a16d0c62f1e21e61e21cf668bacf2ff7
chmalee
  Wed Jun 7 12:37:07 2023 -0700
htmlEncode error messages coming back when uploading a custom track, refs #31338

diff --git src/hg/hgCustom/hgCustom.c src/hg/hgCustom/hgCustom.c
index d785cca..dc122a2 100644
--- src/hg/hgCustom/hgCustom.c
+++ src/hg/hgCustom/hgCustom.c
@@ -214,34 +214,32 @@
     puts("</TD></TR></TABLE>\n");
     }
 
 /* intro text */
 puts("<P>");
 if (isUpdateForm)
     puts("Update your custom track configuration, data, and/or documentation.");
 else
     puts("Display your own data as custom annotation tracks in the browser.");
 addIntro();
 puts("<P>");
 
 /* row for error message */
 if (isNotEmpty(err))
     {
-    char *fullErrString = replaceChars(err, "\n", "<br>\n");
     printf("<P><B>&nbsp;&nbsp;&nbsp;&nbsp;<span style='color:%s; font-style:italic;'>"
-           "%s</span><P>%s</B><P>", warnOnly ? "ORANGE" : "RED", warnOnly ? "Warning" : "Error", fullErrString);
-    freeMem(fullErrString);
+           "%s</span><P>%s</B><P>", warnOnly ? "ORANGE" : "RED", warnOnly ? "Warning" : "Error", htmlEncode(err));
     /* send two lines of the message to the apache error log also: */
     char *tmpString = replaceChars(err, "\n", " ");
     fprintf(stderr, "hgCustom load error: %s\n", tmpString);
     freeMem(tmpString);
     }
 
 cgiSimpleTableStart();
 
 /* first rows for update form are for track and browser line entry */
 if (isUpdateForm)
     {
     /* row for instructions */
     cgiSimpleTableRowStart();
     cgiSimpleTableFieldStart();
     if (dataUrl)