e375b6261547192b9aebef00662d48fb7256c032
chmalee
  Mon May 4 09:00:02 2026 -0700
Fix a comment typo and some potential XSS vectors pointed out in code review email

diff --git src/hg/hgc/myVariantsClick.c src/hg/hgc/myVariantsClick.c
index 65bca4ac724..33948a1358f 100644
--- src/hg/hgc/myVariantsClick.c
+++ src/hg/hgc/myVariantsClick.c
@@ -64,35 +64,35 @@
     tableName, idString);
 struct sqlResult *sr = sqlGetResult(conn, query);
 
 char **row;
 if ((row = sqlNextRow(sr)) != NULL)
     {
     struct myVariants *item = myVariantsLoad(row);
     sqlFreeResult(&sr);  /* Free early so conn is available for custom field queries */
 
     /* Show shared banner */
     if (isShared)
         {
         if (canEdit)
             printf("<div style='padding:6px; margin-bottom:8px; background:#e8f5e9; "
                 "border:1px solid #a5d6a7; border-radius:4px'>"
-                "<B>Shared from %s</B></div>\n", dataOwner);
+                "<B>Shared from %s</B></div>\n", htmlEncode(dataOwner));
         else
             printf("<div style='padding:6px; margin-bottom:8px; background:#e3f2fd; "
                 "border:1px solid #90caf9; border-radius:4px'>"
-                "<B>Shared from %s (read-only)</B></div>\n", dataOwner);
+                "<B>Shared from %s (read-only)</B></div>\n", htmlEncode(dataOwner));
         }
 
     if (canEdit)
         {
         printf("<FORM ACTION=\"%s\" METHOD=\"POST\">\n\n", hgTracksName());
         cartSaveSession(cart);
 
         /* Save away ID string in hidden var. */
         char varName[128];
         char idStr[128];
         safef(varName, sizeof(varName), "%s_%s", trackName, "id");
         safef(idStr, sizeof(idStr), "%d", item->id);
         cgiMakeHiddenVar(varName, idStr);
 
         /* Put up editable label. */