From 0dfd6f002c4b1909462b7d8763d0a1f84c062441 Mon Sep 17 00:00:00 2001
From: vagisha <vagisha@gmail.com>
Date: Thu, 13 Mar 2025 11:36:09 -0700
Subject: [PATCH 1/4] Use PageFlowUtil.jsString to escape container path.

---
 .../panoramapublic/query/ExperimentAnnotationsTableInfo.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/panoramapublic/src/org/labkey/panoramapublic/query/ExperimentAnnotationsTableInfo.java b/panoramapublic/src/org/labkey/panoramapublic/query/ExperimentAnnotationsTableInfo.java
index 4c93fbea..95949b23 100644
--- a/panoramapublic/src/org/labkey/panoramapublic/query/ExperimentAnnotationsTableInfo.java
+++ b/panoramapublic/src/org/labkey/panoramapublic/query/ExperimentAnnotationsTableInfo.java
@@ -162,7 +162,10 @@ public void renderGridCellContents(RenderContext ctx, Writer out) throws IOExcep
                                             .at(src, PageFlowUtil.staticResourceUrl("_images/plus.gif"))),
                                     HtmlString.NBSP)
                                     .appendTo(out);
-                            pageConfig.addHandler(spanId, "click", "viewExperimentDetails(this,'" + container.getPath() + "', '" + id + "','" + detailsPage + "')");
+                            pageConfig.addHandler(spanId, "click", "viewExperimentDetails(this,"
+                                    + PageFlowUtil.jsString(container.getPath())
+                                    + ", '" + id + "', "
+                                    + PageFlowUtil.jsString(detailsPage) + ")");
                         }
                         super.renderGridCellContents(ctx, out);
                     }

From ebb8ffb0287ee8cf25db9963717ec41d84c6bbbd Mon Sep 17 00:00:00 2001
From: vagisha <vagisha@gmail.com>
Date: Thu, 20 Mar 2025 12:13:39 -0700
Subject: [PATCH 2/4] id is a non-null Integer, so does not need to be quoted
 when passing as parameter to a JS function.

---
 .../panoramapublic/query/ExperimentAnnotationsTableInfo.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/panoramapublic/src/org/labkey/panoramapublic/query/ExperimentAnnotationsTableInfo.java b/panoramapublic/src/org/labkey/panoramapublic/query/ExperimentAnnotationsTableInfo.java
index 95949b23..622a5181 100644
--- a/panoramapublic/src/org/labkey/panoramapublic/query/ExperimentAnnotationsTableInfo.java
+++ b/panoramapublic/src/org/labkey/panoramapublic/query/ExperimentAnnotationsTableInfo.java
@@ -164,7 +164,7 @@ public void renderGridCellContents(RenderContext ctx, Writer out) throws IOExcep
                                     .appendTo(out);
                             pageConfig.addHandler(spanId, "click", "viewExperimentDetails(this,"
                                     + PageFlowUtil.jsString(container.getPath())
-                                    + ", '" + id + "', "
+                                    + ", " + id + ", "
                                     + PageFlowUtil.jsString(detailsPage) + ")");
                         }
                         super.renderGridCellContents(ctx, out);

From 0fc25a34e1dc3639dca876a709f617ec1a35e2b0 Mon Sep 17 00:00:00 2001
From: vagisha <vagisha@gmail.com>
Date: Thu, 20 Mar 2025 12:16:05 -0700
Subject: [PATCH 3/4] HTML-escape the abstract, experiment and sample
 descriptions displayed by dropDownUtils.js

---
 panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js b/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js
index 08af5147..d9e66aec 100644
--- a/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js
+++ b/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js
@@ -66,12 +66,13 @@ viewExperimentDetails = function (obj, experimentContainer, id, detailsPageURL)
         var results;
         if(object.rows[rowNum][type] != null)
         {
-            if(object.rows[rowNum][type].length > 500)
+            let description = object.rows[rowNum][type];
+            if(description.length > 500)
             {
-                results = object.rows[rowNum][type].substring(0,500)+"<a href='"+detailsPageURL+"'>...more.</a>";
+                results =  LABKEY.Utils.encodeHtml(description.substring(0,500)) +"<a href='"+ LABKEY.Utils.encodeHtml(detailsPageURL) +"'>...more.</a>";
             }
             else {
-                results =object.rows[rowNum][type];
+                results =  LABKEY.Utils.encodeHtml(description);
             }
         }
         else {results = null;}

From cd69a77255d2fe090b83fb82a6d9d2aefe404133 Mon Sep 17 00:00:00 2001
From: vagisha <vagisha@gmail.com>
Date: Fri, 21 Mar 2025 16:13:41 -0700
Subject: [PATCH 4/4] Update
 panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js

Co-authored-by: Josh Eckels <jeckels@labkey.com>
---
 panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js b/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js
index d9e66aec..cb4252d3 100644
--- a/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js
+++ b/panoramapublic/webapp/PanoramaPublic/js/dropDownUtil.js
@@ -69,7 +69,7 @@ viewExperimentDetails = function (obj, experimentContainer, id, detailsPageURL)
             let description = object.rows[rowNum][type];
             if(description.length > 500)
             {
-                results =  LABKEY.Utils.encodeHtml(description.substring(0,500)) +"<a href='"+ LABKEY.Utils.encodeHtml(detailsPageURL) +"'>...more.</a>";
+                results =  LABKEY.Utils.encodeHtml(description.substring(0,500)) +"<a href=\""+ LABKEY.Utils.encodeHtml(detailsPageURL) +"\">...more.</a>";
             }
             else {
                 results =  LABKEY.Utils.encodeHtml(description);