2694cffb31b95f1729b2d8c5252e406e66a5e61d
max
  Thu Mar 26 02:18:25 2026 -0700
changes after AI code review

diff --git src/hg/hgc/bigBedClick.c src/hg/hgc/bigBedClick.c
index d3f24d7a78f..fbdc6fd038d 100644
--- src/hg/hgc/bigBedClick.c
+++ src/hg/hgc/bigBedClick.c
@@ -378,30 +378,32 @@
 struct hash *plotTypeHash = hashNew(0);
 struct slName *setting;
 for (setting = settings; setting != NULL; setting = setting->next)
     {
     // Parse "detailsScript.<plotType>.<fieldName>"
     char *key = cloneString(setting->name);
     char *dot1 = strchr(key, '.');
     if (dot1 == NULL)
         continue;
     dot1++;
     char *dot2 = strchr(dot1, '.');
     if (dot2 == NULL)
         continue;
     *dot2 = '\0';
     char *plotType = dot1;
+    if (!isSymbolString(plotType)) // plotTypes must be simple strings - no XSS injection from hub
+        continue;
     char *fieldName = dot2 + 1;
     char *jsonConfig = trackDbSetting(tdb, setting->name);
 
     struct slPair *entry;
     AllocVar(entry);
     entry->name = cloneString(fieldName);
     entry->val = cloneString(jsonConfig);
     struct slPair *existing = hashFindVal(plotTypeHash, plotType);
     slAddTail(&existing, entry);
     if (hashLookup(plotTypeHash, plotType) == NULL)
         hashAdd(plotTypeHash, plotType, entry);
     else
         hashReplace(plotTypeHash, plotType, existing);
     }
 slFreeList(&settings);