XSS / style fixes for newly detected issues (after fixing XSS scanner)

7 files changed, 10 insertions, 10 deletions

diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php
index f5970ae1..455cd714 100644
--- a/modules/comment/views/admin_comments.html.php
+++ b/modules/comment/views/admin_comments.html.php
@@ -1,7 +1,7 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <script type="text/javascript">
   var set_state_url =
-    "<?= url::site("admin/comments/set_state/__ID__/__STATE__?csrf=$csrf") ?>";
+    <?= html::js_string(url::site("admin/comments/set_state/__ID__/__STATE__?csrf=$csrf")) ?>;
   function set_state(state, id) {
     $.get(set_state_url.replace("__STATE__", state).replace("__ID__", id),
           {},
@@ -12,7 +12,7 @@
   }
 
   var delete_url =
-    "<?= url::site("admin/comments/delete/__ID__?csrf=$csrf") ?>";
+    <?= html::js_string(url::site("admin/comments/delete/__ID__?csrf=$csrf")) ?>;
 
   function del(id) {
     $.get(delete_url.replace("__ID__", id),
@@ -24,7 +24,7 @@
   }
 
   function update_menu() {
-    $.get("<?= url::site("admin/comments/menu_labels") ?>", {},
+    $.get(<?= html::js_string(url::site("admin/comments/menu_labels")) ?>, {},
           function(data) {
             for (var i = 0; i < data.length; i++) {
               $("#gAdminCommentsMenu li:eq(" + i + ") a").html(data[i]);
diff --git a/modules/gallery/views/admin_dashboard.html.php b/modules/gallery/views/admin_dashboard.html.php
index a2d22ab6..148de65f 100644
--- a/modules/gallery/views/admin_dashboard.html.php
+++ b/modules/gallery/views/admin_dashboard.html.php
@@ -1,7 +1,7 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <script type="text/javascript">
   update_blocks = function() {
-    $.get("<?= url::site("admin/dashboard/reorder") ?>",
+    $.get(<?= html::js_string(url::site("admin/dashboard/reorder")) ?>,
           {"csrf": "<?= $csrf ?>",
            "dashboard_center[]": $("#gAdminDashboard").sortable(
              "toArray", {attribute: "block_id"}),
diff --git a/modules/gallery/views/admin_graphics.html.php b/modules/gallery/views/admin_graphics.html.php
index c4a2f5c6..f64c7f80 100644
--- a/modules/gallery/views/admin_graphics.html.php
+++ b/modules/gallery/views/admin_graphics.html.php
@@ -3,7 +3,7 @@
   $(document).ready(function() {
     select_toolkit = function(el) {
       if (!$(this).hasClass("gUnavailable")) {
-        window.location = '<?= url::site("admin/graphics/choose/__TK__?csrf=$csrf") ?>'
+        window.location = <?= html::js_string(url::site("admin/graphics/choose/__TK__?csrf=$csrf")) ?>
           .replace("__TK__", $(this).attr("id"));
       }
     };
diff --git a/modules/gallery/views/admin_maintenance_task.html.php b/modules/gallery/views/admin_maintenance_task.html.php
index 0f33d508..fc0e0af5 100644
--- a/modules/gallery/views/admin_maintenance_task.html.php
+++ b/modules/gallery/views/admin_maintenance_task.html.php
@@ -28,7 +28,7 @@
 
   update = function() {
     $.ajax({
-      url: "<?= url::site("admin/maintenance/run/$task->id?csrf=$csrf") ?>",
+      url: <?= html::js_string(url::site("admin/maintenance/run/$task->id?csrf=$csrf")) ?>,
       dataType: "json",
       success: function(data) {
         target_value = data.task.percent_complete;
diff --git a/modules/recaptcha/views/admin_recaptcha.html.php b/modules/recaptcha/views/admin_recaptcha.html.php
index 43b4da8a..35722be4 100644
--- a/modules/recaptcha/views/admin_recaptcha.html.php
+++ b/modules/recaptcha/views/admin_recaptcha.html.php
@@ -4,7 +4,7 @@
   <p>
     <?= t("reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows.  In order to use it, you need to sign up for a <a href=\"%domain_url\">reCAPTCHA Public/Private Key pair</a>, which is also free.  Once registered, the challenge and response strings are evaluated at <a href=\"%recaptcha_url\">recaptcha.net</a> to determine if the form content has been entered by a bot.",
           array("domain_url" => $form->get_key_url,
-                "recaptcha_url" => "http://recaptcha.net")) ?>
+                "recaptcha_url" => html::mark_safe("http://recaptcha.net"))) ?>
   </p>
 
      <?= $form ?>
@@ -23,7 +23,7 @@
     Recaptcha.create("<?= $public_key ?>", "gRecaptcha", {
       callback: Recaptcha.focus_response_field,
       lang: "en",
-      custom_translations : { instructions_visual : "<?= t("Type words to check:") ?>"},
+      custom_translations : { instructions_visual : <?= t("Type words to check:")->for_js() ?>},
       theme: "white"
     });
   </script>
diff --git a/modules/recaptcha/views/form_recaptcha.html.php b/modules/recaptcha/views/form_recaptcha.html.php
index d4031586..4ec04c49 100644
--- a/modules/recaptcha/views/form_recaptcha.html.php
+++ b/modules/recaptcha/views/form_recaptcha.html.php
@@ -8,7 +8,7 @@
       "gRecaptcha",
       {
         theme: "white",
-        custom_translations : { instructions_visual : "<?= t("Type words to check:") ?>"},
+        custom_translations : { instructions_visual : <?= t("Type words to check:")->for_js() ?>},
         callback: Recaptcha.focus_response_field
       }
     );
diff --git a/modules/user/views/login_ajax.html.php b/modules/user/views/login_ajax.html.php
index d697c958..56bc1cbd 100644
--- a/modules/user/views/login_ajax.html.php
+++ b/modules/user/views/login_ajax.html.php
@@ -6,7 +6,7 @@
         url: "<?= url::site("password/reset") ?>",
         success: function(data) {
           $("div#gLoginView").html(data);
-          $("#ui-dialog-title-gDialog").text("<?= t("Reset Password") ?>");
+          $("#ui-dialog-title-gDialog").html(<?= t("Reset Password")->for_js() ?>);
           ajaxify_login_reset_form();
         }
       });