97581eb831d5c2b70494276cd4df9e6d97d598b2
jcasper
  Mon Mar 16 09:34:02 2026 -0700
We should HTML encode strings from trackDb when displaying them, refs #37090

diff --git src/hg/hgTrackUi/hgTrackUi.c src/hg/hgTrackUi/hgTrackUi.c
index 4a081afc585..9138d99c494 100644
--- src/hg/hgTrackUi/hgTrackUi.c
+++ src/hg/hgTrackUi/hgTrackUi.c
@@ -3072,32 +3072,34 @@
             // Now we have to check for any cart variables that turn on a track with this data type
             struct slPair *dt_vars = cartVarsLike(cart, toMatch);
             struct slPair *this_var = dt_vars;
             while (this_var != NULL)
                 {
                 if (cartBoolean(cart, this_var->name))
                     {
                     slNameAddHead(&selectedDataTypes, thisType->name);
                     selected = TRUE;
                     break;
                     }
                 this_var = this_var->next;
                 }
             slPairFreeList(&dt_vars);
             }
+        char *label = htmlEncode(stripEnclosingDoubleQuotes(thisType->val));
         printf("%s\"%s\": {\"active\":%d, \"title\":\"%s\"}", COMMA_IF(not_first), thisType->name,
-                selected ? 1 : 0, stripEnclosingDoubleQuotes(thisType->val));
+                selected ? 1 : 0, label);
+        freeMem(label);
         }
     }
 // else: dataTypes dict is empty - JS will detect this
 printf(closeDataTypesJSON);
 printf(",");  // add separator
 
 // find selected data sets
 printf(openDataElementsJSON);
 not_first = 0;
 if (hasDataTypes)
     {
     char toMatch[token_size];
     safef(toMatch, token_size, "%s_*_*_sel", metaDataId);
     struct slPair *mdidVars = cartVarsLike(cart, toMatch);
     for (struct slPair *le = mdidVars; le != NULL; le = le->next)