src/hg/lib/cart.c eca99d569898b0e1f599d9336563db410c096400

eca99d569898b0e1f599d9336563db410c096400
jcasper
  Sun Aug 4 18:20:13 2024 -0700
hgSession can only load sessions from URLs that are actually URLs, and no
longer reports the content of bad settings (it was a security flaw). refs #34223

diff --git src/hg/lib/cart.c src/hg/lib/cart.c
index d99504e..4857e99 100644
--- src/hg/lib/cart.c
+++ src/hg/lib/cart.c
@@ -889,36 +889,35 @@
 /* Append summary/explanation to dyMessage.   */
 {
 if (stats && dyMessage)
     {
     boolean quitting = vsTooManyErrors(stats);
     char *atLeast = (quitting ? "At least " : "");
     dyStringPrintf(dyMessage, "<br>%d valid settings found.  ", stats->validCount);
     if (stats->binaryCount || stats->weirdCharsCount || stats->dataCount ||
         stats->varTooLongCount || stats->valTooLongCount)
         dyStringPrintf(dyMessage, "<b>Note: invalid settings were found and omitted.</b>  ");
     if (stats->binaryCount)
         dyStringPrintf(dyMessage, "%s%d setting names contained binary data.  ",
                        atLeast, stats->binaryCount);
     if (stats->weirdCharsCount)
         dyStringPrintf(dyMessage,
-                       "%s%d setting names contained unexpected characters, for example '%s'.  ",
-                       atLeast, stats->weirdCharsCount, htmlEncode(stats->weirdCharsExample));
+                       "%s%d setting names contained unexpected characters.  ",
+                       atLeast, stats->weirdCharsCount);
     if (stats->dataCount)
-        dyStringPrintf(dyMessage, "%s%d lines appeared to be custom track data, for example "
-                       "a line begins with '%s'.  ",
-                       atLeast, stats->dataCount, stats->dataExample);
+        dyStringPrintf(dyMessage, "%s%d lines appeared to be custom track data.",
+                       atLeast, stats->dataCount);
     if (stats->varTooLongCount)
         dyStringPrintf(dyMessage, "%s%d setting names were too long (up to %d).  ",
                        atLeast, stats->varTooLongCount, stats->varTooLongLength);
     if (stats->valTooLongCount)
         dyStringPrintf(dyMessage, "%s%d setting values were too long (up to %d).  ",
                        atLeast, stats->valTooLongCount, stats->valTooLongLength);
     if (quitting)
         dyStringPrintf(dyMessage, "Encountered too many errors -- quitting.  ");
     }
 }
 
 // Our timestamp vars (_, hgt_) are an exception to the usual cart var naming patterns:
 #define CART_VAR_TIMESTAMP "^([a-z]+)?_$"
 // Legitimate cart vars look like this (but so do some not-vars, so we filter further below):
 #define CART_VAR_VALID_CHARACTERS "^[A-Za-z]([A-Za-z0-9._:-]*[A-Za-z0-9]+)?$"