e6389247d87dbd7b448a74f910033bceb9555633
chmalee
  Tue Mar 17 15:20:34 2026 -0700
Changes from code review, refs #37212

diff --git src/hg/lib/web.c src/hg/lib/web.c
index 829fe9d9214..5c118dcbaa5 100644
--- src/hg/lib/web.c
+++ src/hg/lib/web.c
@@ -981,31 +981,31 @@
     "hg38,hg19,mm39,mm10,rn7,danRer11,dm6,ce11,sacCer3");
 struct slName *dbNames = slNameListFromComma(popularStr);
 struct dyString *json = dyStringNew(512);
 dyStringAppendC(json, '[');
 boolean first = TRUE;
 struct slName *dbIter;
 for (dbIter = dbNames; dbIter != NULL; dbIter = dbIter->next)
     {
     struct dbDb *info = hDbDb(dbIter->name);
     if (info == NULL || !info->active)
         continue;
     if (!first)
         dyStringAppendC(json, ',');
     first = FALSE;
     dyStringPrintf(json, "{\"db\":\"%s\",\"label\":\"%s - %s (%s)\",\"commonName\":\"%s\"}",
-        info->name, info->organism, info->description, info->name, info->organism);
+        jsonStringEscape(info->name), jsonStringEscape(info->organism), jsonStringEscape(info->description), jsonStringEscape(info->name), jsonStringEscape(info->organism));
     }
 dyStringAppendC(json, ']');
 printf("<script type='application/json' id='%sPopularData'>%s</script>\n", id, dyStringContents(json));
 dyStringFree(&json);
 slFreeList(&dbNames);
 }
 printf("</div>\n");
 }
 
 static char *getDbForGenome(char *genome, struct cart *cart)
 /*
   Function to find the default database for the given Genome.
 It looks in the cart first and then, if that database's Genome matches the
 passed-in Genome, returns it. If the Genome does not match, it returns the default
 database that does match that Genome.