53621f3c5ef75891a7b04cf18d85180677a38f23
chmalee
  Wed Apr 8 11:38:53 2026 -0700
Fix bug in hgc user defined table printing where we overwrote the variable that held the data for each custom table. Also fix a XSS vector with the table titles and some related code cleanup, refs #37340

diff --git src/hg/js/hgc.js src/hg/js/hgc.js
index d92af2cf85e..adc87e26351 100644
--- src/hg/js/hgc.js
+++ src/hg/js/hgc.js
@@ -416,45 +416,45 @@
         svg.appendChild(barVal);
     }
 }
 
 function initPage() {
     if (typeof doHPRCTable !== "undefined") {
         makeHPRCTable();
     }
     if (typeof svgTable !== "undefined") {
         // redraw the svg with appropriate widths for all columns
         // swatchWidth and columnSpacer are taken from svgBarChart() in hgc/barChartClick.c
         // they should probably be dynamically determined
         drawSvgTable(document.getElementById("svgBarChart"), barChartValues);
     }
     if (typeof _jsonHgcLabels !== "undefined") {
-        var obj, o;
-        for (obj in _jsonHgcLabels) {
+        let obj;
+        for (obj of _jsonHgcLabels) {
             // build up the new table:
             var newTable = document.createElement("table");
             var newRow = newTable.insertRow();
             var newCell = newRow.insertCell();
-            var label = _jsonHgcLabels[obj].label;
-            var data = _jsonHgcLabels[obj].data;
+            var label = obj.label;
+            var data = obj.data;
             var newText = document.createTextNode(label);
             newCell.appendChild(newText);
             newCell = newRow.insertCell();
             newCell.appendChild(dataToTable(label, data));
             // find the last details table and add a new table on:
             var currTbl = $(".bedExtraTbl");
-            l = currTbl.length;
+            let l = currTbl.length;
             var last = currTbl[l-1];
             insertAfter(newTable, last);
             newTable.classList.add("bedExtraTbl");
             last.parentNode.insertBefore(document.createElement("br"), newTable);
         }
     }
     document.querySelectorAll('.hideToggle').forEach(function(element) {
        element.addEventListener('click', function() {
          var targetId = this.getAttribute('dataTarget');
          var targetDiv = document.getElementById(targetId);
          var toggleImg = this.querySelector('img');
          if (targetDiv.style.display === 'none') {
              targetDiv.style.display = 'block';
              toggleImg.src = '../images/remove_sm.gif';
          } else {