48b00fd6aaa85aee01dc7efb2c68374bf980c1a2 chmalee Mon Jun 1 15:17:50 2026 -0700 Fix not html encoding hgPublic sessions output of username, sessionName, db, and searchStr fields, refs #37663 diff --git src/hg/hgPublicSessions/hgPublicSessions.c src/hg/hgPublicSessions/hgPublicSessions.c index 95659398981..2f392ed1c2e 100644 --- src/hg/hgPublicSessions/hgPublicSessions.c +++ src/hg/hgPublicSessions/hgPublicSessions.c @@ -7,30 +7,31 @@ #include "linefile.h" #include "hash.h" #include "options.h" #include "jksql.h" #include "htmshell.h" #include "web.h" #include "cheapcgi.h" #include "cart.h" #include "hui.h" #include "ra.h" #include "dystring.h" #include "hPrint.h" #include "hgConfig.h" #include "sessionThumbnail.h" #include "jsHelper.h" +#include "jsonParse.h" #include "verbose.h" struct galleryEntry /* Holds data for a single session in the gallery*/ { struct galleryEntry *next; char *userName; char *realName; char *userIdx; char *sessionName; char *settings; char *db; char *firstUse; char *imgPath; char *imgUri; @@ -152,31 +153,31 @@ * Then set up the ordering drop-down menu */ jsInlineF( "$(document).ready(function () {\n" " $('#sessionTable').DataTable({\"columnDefs\": [{\"visible\":false, \"targets\":[2,3]},\n" " {\"orderable\":false, \"targets\":[0,1]}\n" " ],\n" " \"dom\":\"lftip\",\n" " \"stateSave\":true,\n" " \"stateSaveCallback\": %s,\n" " \"stateLoadCallback\": %s,\n" " });\n", jsDataTableStateSave(hgPublicSessionsPrefix), jsDataTableStateLoad(hgPublicSessionsPrefix, cart)); // the user may have cleared the previous search via cgi option, or tried a new search: if (searchStrExists) - jsInlineF(" $('#sessionTable').DataTable().search(\"%s\").draw();\n", searchStr); + jsInlineF(" $('#sessionTable').DataTable().search(\"%s\").draw();\n", jsonStringEscape(searchStr)); /* Recover previous sorting choice from the cart settings, if available */ jsInlineF( " var startOrder = $('#sessionTable').DataTable().order();\n" " if (startOrder[0][0] == 3) {\n" " if (startOrder[0][1] == \"asc\") {\n" " $('#sortMethod').val(\"useAsc\");\n" " } else {\n" " $('#sortMethod').val(\"useDesc\");\n" " }\n" " } else {\n" " if (startOrder[0][0] == 2) {\n" " if (startOrder[0][1] == \"asc\") {\n" " $('#sortMethod').val(\"dateAsc\");\n" " } else {\n" @@ -237,33 +238,33 @@ } struct hash *settingsHash = raFromString(thisSession->settings); descriptionString = (char*) hashFindVal(settingsHash, "description"); if (descriptionString == NULL) descriptionString = ""; else { descriptionString = replaceChars(descriptionString, "\\\\", "\\__ESC__"); descriptionString = replaceChars(descriptionString, "\\r", "\r"); descriptionString = replaceChars(descriptionString, "\\n", "\n"); descriptionString = replaceChars(descriptionString, "\\__ESC__", "\\"); } char *safeDescription = htmlEncode(descriptionString); printf ("\t\t<td><b>Description:</b> %s<br>\n", safeDescription); - printf ("\t\t<b>Author:</b> %s<br>\n", thisSession->userName); - printf ("\t\t<b>Session Name:</b> %s<br>\n", thisSession->sessionName); - printf ("\t\t<b>Genome Assembly:</b> %s<br>\n", thisSession->db); + printf ("\t\t<b>Author:</b> %s<br>\n", htmlEncode(thisSession->userName)); + printf ("\t\t<b>Session Name:</b> %s<br>\n", htmlEncode(thisSession->sessionName)); + printf ("\t\t<b>Genome Assembly:</b> %s<br>\n", htmlEncode(thisSession->db)); printf ("\t\t<b>Creation Date:</b> %s<br>\n", thisSession->firstUse); printf ("\t\t<b>Views:</b> %ld\n", thisSession->useCount); printf ("\t\t</td>\n"); struct tm creationDate; ZeroVar(&creationDate); strptime(thisSession->firstUse, "%Y-%m-%d %T", &creationDate); /* Hidden columns */ printf ("\t\t<td>%ld</td>\n", mktime(&creationDate)); printf ("\t\t<td>%ld</td>\n", thisSession->useCount); printf ("\t</tr>\n"); thisSession = thisSession->next; } printf ("</tbody>\n"); printf ("</table>\n");