XSS review fixes (mostly adding missing html::mark_clean()) calls.

4 files changed, 123 insertions, 122 deletions

diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php
index 43c77340..79bc1183 100644
--- a/modules/gallery/controllers/admin_advanced_settings.php
+++ b/modules/gallery/controllers/admin_advanced_settings.php
@@ -46,7 +46,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller {
     module::set_var($module_name, $var_name, Input::instance()->post("value"));
     message::success(
       t("Saved value for %var (%module_name)",
-        array("var" => html::clean($var_name), "module_name" => $module_name)));
+        array("var" => $var_name, "module_name" => $module_name)));
 
     print json_encode(array("result" => "success"));
   }
diff --git a/modules/gallery/controllers/admin_maintenance.php b/modules/gallery/controllers/admin_maintenance.php
index 543961a1..66bcce55 100644
--- a/modules/gallery/controllers/admin_maintenance.php
+++ b/modules/gallery/controllers/admin_maintenance.php
@@ -34,7 +34,7 @@ class Admin_Maintenance_Controller extends Admin_Controller {
                       "%count tasks are stalled",
                       $stalled_count),
                    t('<a href="%url">view</a>',
-                     array("url" => url::site("admin/maintenance"))));
+                     array("url" => html::mark_clean(url::site("admin/maintenance")))));
     }
 
     $view = new Admin_View("admin.html");
diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php
index ec3eb426..78f12c80 100644
--- a/modules/gallery/controllers/albums.php
+++ b/modules/gallery/controllers/albums.php
@@ -1,118 +1,118 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class Albums_Controller extends Items_Controller {
-
-  /**
-   *  @see REST_Controller::_show($resource)
-   */
-  public function _show($album) {
-    $page_size = module::get_var("gallery", "page_size", 9);
-    if (!access::can("view", $album)) {
-      if ($album->id == 1) {
-        $view = new Theme_View("page.html", "login");
-        $view->page_title = t("Log in to Gallery");
-        $view->content = user::get_login_form("login/auth_html");
-        print $view;
-        return;
-      } else {
-        access::forbidden();
-      }
-    }
-
-    $show = $this->input->get("show");
-
-    if ($show) {
-      $index = $album->get_position($show);
-      $page = ceil($index / $page_size);
-      if ($page == 1) {
-        url::redirect("albums/$album->id");
-      } else {
-        url::redirect("albums/$album->id?page=$page");
-      }
-    }
-
-    $page = $this->input->get("page", "1");
-    $children_count = $album->viewable()->children_count();
-    $offset = ($page - 1) * $page_size;
-    $max_pages = max(ceil($children_count / $page_size), 1);
-
-    // Make sure that the page references a valid offset
-    if ($page < 1) {
-      url::redirect("albums/$album->id");
-    } else if ($page > $max_pages) {
-      url::redirect("albums/$album->id?page=$max_pages");
-    }
-
-    $template = new Theme_View("page.html", "album");
-    $template->set_global("page_size", $page_size);
-    $template->set_global("item", $album);
-    $template->set_global("children", $album->viewable()->children($page_size, $offset));
-    $template->set_global("children_count", $children_count);
-    $template->set_global("parents", $album->parents());
-    $template->content = new View("album.html");
-
-    // We can't use math in ORM or the query builder, so do this by hand.  It's important
-    // that we do this with math, otherwise concurrent accesses will damage accuracy.
-    Database::instance()->query(
-      "UPDATE {items} SET `view_count` = `view_count` + 1 WHERE `id` = $album->id");
-
-    print $template;
-  }
-
-  /**
-   * @see REST_Controller::_create($resource)
-   */
-  public function _create($album) {
-    access::verify_csrf();
-    access::required("view", $album);
-    access::required("add", $album);
-
-    switch ($this->input->post("type")) {
-    case "album":
-      return $this->_create_album($album);
-
-    case "photo":
-      return $this->_create_photo($album);
-
-    default:
-      access::forbidden();
-    }
-  }
-
-  private function _create_album($album) {
-    access::required("view", $album);
-    access::required("add", $album);
-
-    $form = album::get_add_form($album);
-    if ($form->validate()) {
-      $new_album = album::create(
-        $album,
-        $this->input->post("name"),
-        $this->input->post("title", $this->input->post("name")),
-        $this->input->post("description"),
-        user::active()->id);
-
-      log::success("content", "Created an album",
-               html::anchor("albums/$new_album->id", "view album"));
-      message::success(
-        t("Created album %album_title", array("album_title" => $new_album->title)));
+ <?php defined("SYSPATH") or die("No direct script access.");
+ /**
+  * Gallery - a web based photo album viewer and editor
+  * Copyright (C) 2000-2009 Bharat Mediratta
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+  * the Free Software Foundation; either version 2 of the License, or (at
+  * your option) any later version.
+  *
+  * This program is distributed in the hope that it will be useful, but
+  * WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  * General Public License for more details.
+  *
+  * You should have received a copy of the GNU General Public License
+  * along with this program; if not, write to the Free Software
+  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+  */
+ class Albums_Controller extends Items_Controller {
+
+   /**
+    *  @see REST_Controller::_show($resource)
+    */
+   public function _show($album) {
+     $page_size = module::get_var("gallery", "page_size", 9);
+     if (!access::can("view", $album)) {
+       if ($album->id == 1) {
+         $view = new Theme_View("page.html", "login");
+         $view->page_title = t("Log in to Gallery");
+         $view->content = user::get_login_form("login/auth_html");
+         print $view;
+         return;
+       } else {
+         access::forbidden();
+       }
+     }
+
+     $show = $this->input->get("show");
+
+     if ($show) {
+       $index = $album->get_position($show);
+       $page = ceil($index / $page_size);
+       if ($page == 1) {
+         url::redirect("albums/$album->id");
+       } else {
+         url::redirect("albums/$album->id?page=$page");
+       }
+     }
+
+     $page = $this->input->get("page", "1");
+     $children_count = $album->viewable()->children_count();
+     $offset = ($page - 1) * $page_size;
+     $max_pages = max(ceil($children_count / $page_size), 1);
+
+     // Make sure that the page references a valid offset
+     if ($page < 1) {
+       url::redirect("albums/$album->id");
+     } else if ($page > $max_pages) {
+       url::redirect("albums/$album->id?page=$max_pages");
+     }
+
+     $template = new Theme_View("page.html", "album");
+     $template->set_global("page_size", $page_size);
+     $template->set_global("item", $album);
+     $template->set_global("children", $album->viewable()->children($page_size, $offset));
+     $template->set_global("children_count", $children_count);
+     $template->set_global("parents", $album->parents());
+     $template->content = new View("album.html");
+
+     // We can't use math in ORM or the query builder, so do this by hand.  It's important
+     // that we do this with math, otherwise concurrent accesses will damage accuracy.
+     Database::instance()->query(
+       "UPDATE {items} SET `view_count` = `view_count` + 1 WHERE `id` = $album->id");
+
+     print $template;
+   }
+
+   /**
+    * @see REST_Controller::_create($resource)
+    */
+   public function _create($album) {
+     access::verify_csrf();
+     access::required("view", $album);
+     access::required("add", $album);
+
+     switch ($this->input->post("type")) {
+     case "album":
+       return $this->_create_album($album);
+
+     case "photo":
+       return $this->_create_photo($album);
+
+     default:
+       access::forbidden();
+     }
+   }
+
+   private function _create_album($album) {
+     access::required("view", $album);
+     access::required("add", $album);
+
+     $form = album::get_add_form($album);
+     if ($form->validate()) {
+       $new_album = album::create(
+         $album,
+         $this->input->post("name"),
+         $this->input->post("title", $this->input->post("name")),
+         $this->input->post("description"),
+         user::active()->id);
+
+       log::success("content", "Created an album",
+                html::anchor("albums/$new_album->id", "view album"));
+       message::success(t("Created album %album_title",
+                          array("album_title" => html::purify($new_album->title))));
 
       print json_encode(
         array("result" => "success",
@@ -144,8 +144,8 @@ class Albums_Controller extends Items_Controller {
         user::active()->id);
 
       log::success("content", "Added a photo", html::anchor("photos/$photo->id", "view photo"));
-      message::success(
-        t("Added photo %photo_title", array("photo_title" => $photo->title)));
+      message::success(t("Added photo %photo_title",
+                         array("photo_title" => html::purify($photo->title))));
 
       print json_encode(
         array("result" => "success",
@@ -193,8 +193,8 @@ class Albums_Controller extends Items_Controller {
       module::event("item_edit_form_completed", $album, $form);
 
       log::success("content", "Updated album", "<a href=\"albums/$album->id\">view</a>");
-      message::success(
-        t("Saved album %album_title", array("album_title" => $album->title)));
+      message::success(t("Saved album %album_title",
+                         array("album_title" => html::purify($album->title))));
 
       print json_encode(
         array("result" => "success",
diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php
index 3447b4c6..3b9662c7 100644
--- a/modules/gallery/controllers/photos.php
+++ b/modules/gallery/controllers/photos.php
@@ -86,7 +86,8 @@ class Photos_Controller extends Items_Controller {
 
       log::success("content", "Updated photo", "<a href=\"photos/$photo->id\">view</a>");
       message::success(
-        t("Saved photo %photo_title", array("photo_title" => $photo->title)));
+                       t("Saved photo %photo_title",
+                         array("photo_title" => html::purify($photo->title))));
 
       print json_encode(
         array("result" => "success",