Run all variables containing user-entered text through p::clean()

6 files changed, 16 insertions, 12 deletions

diff --git a/themes/default/views/album.html.php b/themes/default/views/album.html.php
index f4baa210..6e17696d 100644
--- a/themes/default/views/album.html.php
+++ b/themes/default/views/album.html.php
@@ -2,8 +2,8 @@
 <? // @todo Set hover on AlbumGrid list items for guest users ?>
 <div id="gInfo">
   <?= $theme->album_top() ?>
-  <h1><?= $item->title ?></h1>
-  <div class="gDescription"><?= $item->description ?></div>
+  <h1><?= p::clean($item->title) ?></h1>
+  <div class="gDescription"><?= p::clean($item->description) ?></div>
 </div>
 
 <ul id="gAlbumGrid">
@@ -18,7 +18,7 @@
       <?= $child->thumb_tag(array("class" => "gThumbnail")) ?>
     </a>
     <?= $theme->thumb_bottom($child) ?>
-    <h2><span></span><a href="<?= $child->url() ?>"><?= $child->title ?></a></h2>
+    <h2><span></span><a href="<?= $child->url() ?>"><?= p::clean($child->title) ?></a></h2>
     <ul class="gMetadata">
       <?= $theme->thumb_info($child) ?>
     </ul>
diff --git a/themes/default/views/dynamic.html.php b/themes/default/views/dynamic.html.php
index 8d2d2123..12b5192c 100644
--- a/themes/default/views/dynamic.html.php
+++ b/themes/default/views/dynamic.html.php
@@ -3,7 +3,7 @@
   <div id="gAlbumHeaderButtons">
     <?= $theme->dynamic_top() ?>
   </div>
-  <h1><?= $tag->name ?></h1>
+  <h1><?= p::clean($tag->name) ?></h1>
 </div>
 
 <ul id="gAlbumGrid">
@@ -16,7 +16,7 @@
            width="<?= $child->thumb_width ?>"
            height="<?= $child->thumb_height ?>" />
     </a>
-    <h2><?= $child->title ?></h2>
+    <h2><?= p::clean($child->title) ?></h2>
     <?= $theme->thumb_bottom($child) ?>
     <ul class="gMetadata">
       <?= $theme->thumb_info($child) ?>
diff --git a/themes/default/views/header.html.php b/themes/default/views/header.html.php
index 9d058e35..1e70b7ac 100644
--- a/themes/default/views/header.html.php
+++ b/themes/default/views/header.html.php
@@ -17,8 +17,12 @@
 <? if (!empty($parents)): ?>
 <ul class="gBreadcrumbs">
   <? foreach ($parents as $parent): ?>
-  <li><a href="<?= url::site("albums/{$parent->id}?show=$item->id") ?>"><?= $parent->title ?></a></li>
+  <li>
+    <a href="<?= url::site("albums/{$parent->id}?show=$item->id") ?>">
+      <?= p::clean($parent->title) ?>
+    </a>
+  </li>
   <? endforeach ?>
-  <li class="active"><?= $item->title ?></li>
+  <li class="active"><?= p::clean($item->title) ?></li>
 </ul>
 <? endif ?>
diff --git a/themes/default/views/movie.html.php b/themes/default/views/movie.html.php
index bde147ad..0cdf63fa 100644
--- a/themes/default/views/movie.html.php
+++ b/themes/default/views/movie.html.php
@@ -32,8 +32,8 @@
   </script>
 
   <div id="gInfo">
-    <h1><?= $item->title ?></h1>
-    <div><?= $item->description ?></div>
+    <h1><?= p::clean($item->title) ?></h1>
+    <div><?= p::clean($item->description) ?></div>
   </div>
 
   <?= $theme->photo_bottom() ?>
diff --git a/themes/default/views/page.html.php b/themes/default/views/page.html.php
index fc61f52d..b3ee88b0 100644
--- a/themes/default/views/page.html.php
+++ b/themes/default/views/page.html.php
@@ -8,7 +8,7 @@
       <? if (empty($page_title)): ?>
         <?= t("Browse Photos") ?>
         <? if (!empty($item)): ?>
-        :: <?= $item->title ?>
+        :: <?= p::clean($item->title) ?>
         <? endif ?>
       <? else: ?>
         <?= $page_title ?>
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index ab46a528..fab6f138 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -37,8 +37,8 @@
   </div>
 
   <div id="gInfo">
-    <h1><?= $item->title ?></h1>
-    <div><?= $item->description ?></div>
+    <h1><?= p::clean($item->title) ?></h1>
+    <div><?= p::clean($item->description) ?></div>
   </div>
 
   <?= $theme->photo_bottom() ?>