e375b6261547192b9aebef00662d48fb7256c032 chmalee Mon May 4 09:00:02 2026 -0700 Fix a comment typo and some potential XSS vectors pointed out in code review email diff --git src/hg/hgc/myVariantsClick.c src/hg/hgc/myVariantsClick.c index 65bca4ac724..33948a1358f 100644 --- src/hg/hgc/myVariantsClick.c +++ src/hg/hgc/myVariantsClick.c @@ -64,35 +64,35 @@ tableName, idString); struct sqlResult *sr = sqlGetResult(conn, query); char **row; if ((row = sqlNextRow(sr)) != NULL) { struct myVariants *item = myVariantsLoad(row); sqlFreeResult(&sr); /* Free early so conn is available for custom field queries */ /* Show shared banner */ if (isShared) { if (canEdit) printf("<div style='padding:6px; margin-bottom:8px; background:#e8f5e9; " "border:1px solid #a5d6a7; border-radius:4px'>" - "<B>Shared from %s</B></div>\n", dataOwner); + "<B>Shared from %s</B></div>\n", htmlEncode(dataOwner)); else printf("<div style='padding:6px; margin-bottom:8px; background:#e3f2fd; " "border:1px solid #90caf9; border-radius:4px'>" - "<B>Shared from %s (read-only)</B></div>\n", dataOwner); + "<B>Shared from %s (read-only)</B></div>\n", htmlEncode(dataOwner)); } if (canEdit) { printf("<FORM ACTION=\"%s\" METHOD=\"POST\">\n\n", hgTracksName()); cartSaveSession(cart); /* Save away ID string in hidden var. */ char varName[128]; char idStr[128]; safef(varName, sizeof(varName), "%s_%s", trackName, "id"); safef(idStr, sizeof(idStr), "%d", item->id); cgiMakeHiddenVar(varName, idStr); /* Put up editable label. */