Do all the html::clean|purify calls in the views and not the controller. Also clean the subject line and email message body of the contact user email.

1 files changed, 2 insertions, 2 deletions

diff --git a/modules/gallery/controllers/user_profile.php b/modules/gallery/controllers/user_profile.php
index a0e6619e..327d2ff1 100644
--- a/modules/gallery/controllers/user_profile.php
+++ b/modules/gallery/controllers/user_profile.php
@@ -53,11 +53,11 @@ class User_Profile_Controller extends Controller {
     if ($form->validate()) {
       Sendmail::factory()
         ->to($user->email)
-        ->subject($form->message->subject->value)
+        ->subject(html::clean($form->message->subject->value))
         ->header("Mime-Version", "1.0")
         ->header("Content-type", "text/html; charset=iso-8859-1")
         ->reply_to($form->message->reply_to->value)
-        ->message($form->message->message->value)
+        ->message(html::purify($form->message->message->value))
         ->send();
       message::success(t("Sent message to %user_name", array("user_name" => $user->display_name())));
       print json_encode(array("result" => "success"));