Fix for ticket #1181. Use $.getJSON to retrieve the json contents of the dialog. Convert all the controllers

that create the data to go into a dialog to return the html as part of a json object.

15 files changed, 43 insertions, 33 deletions

diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php
index 6f4e9403..2bbbdf50 100644
--- a/modules/gallery/controllers/admin_advanced_settings.php
+++ b/modules/gallery/controllers/admin_advanced_settings.php
@@ -39,7 +39,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller {
     $group->input("var_name")->label(t("Setting"))->value($var_name)->disabled(1);
     $group->textarea("value")->label(t("Value"))->value($value);
     $group->submit("")->value(t("Save"));
-    print $form;
+    print json_encode(array("form" => (string) $form));
   }
 
   public function save($module_name, $var_name) {
diff --git a/modules/gallery/controllers/admin_maintenance.php b/modules/gallery/controllers/admin_maintenance.php
index d6a2d191..489f5d54 100644
--- a/modules/gallery/controllers/admin_maintenance.php
+++ b/modules/gallery/controllers/admin_maintenance.php
@@ -64,7 +64,7 @@ class Admin_Maintenance_Controller extends Admin_Controller {
     log::info("tasks", t("Task %task_name started (task id %task_id)",
                          array("task_name" => $task->name, "task_id" => $task->id)),
               html::anchor("admin/maintenance", t("maintenance")));
-    print $view;
+    print json_encode(array("form" => (string) $view));
   }
 
   /**
@@ -86,7 +86,7 @@ class Admin_Maintenance_Controller extends Admin_Controller {
     log::info("tasks", t("Task %task_name resumed (task id %task_id)",
                          array("task_name" => $task->name, "task_id" => $task->id)),
               html::anchor("admin/maintenance", t("maintenance")));
-    print $view;
+    print json_encode(array("form" => (string) $view));
   }
 
   /**
@@ -103,7 +103,7 @@ class Admin_Maintenance_Controller extends Admin_Controller {
     $view = new View("admin_maintenance_show_log.html");
     $view->task = $task;
 
-    print $view;
+    print json_encode(array("form" => (string) $view));
   }
 
   /**
diff --git a/modules/gallery/controllers/admin_themes.php b/modules/gallery/controllers/admin_themes.php
index e59eadaf..b1bd438f 100644
--- a/modules/gallery/controllers/admin_themes.php
+++ b/modules/gallery/controllers/admin_themes.php
@@ -52,7 +52,7 @@ class Admin_Themes_Controller extends Admin_Controller {
     } else {
       $view->url = item::root()->url("theme=$theme_name");
     }
-    print $view;
+    print json_encode(array("form" => (string) $view));
   }
 
   public function choose($type, $theme_name) {
diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php
index eaa09be5..8aed1341 100644
--- a/modules/gallery/controllers/albums.php
+++ b/modules/gallery/controllers/albums.php
@@ -168,7 +168,7 @@ class Albums_Controller extends Items_Controller {
     access::required("view", $album);
     access::required("add", $album);
 
-    print album::get_add_form($album);
+    print json_encode(array("form" => (string) album::get_add_form($album)));
   }
 
   public function form_edit($album_id) {
@@ -176,6 +176,6 @@ class Albums_Controller extends Items_Controller {
     access::required("view", $album);
     access::required("edit", $album);
 
-    print album::get_edit_form($album);
+    print json_encode(array("form" => (string) album::get_edit_form($album)));
   }
 }
diff --git a/modules/gallery/controllers/flash_uploader.php b/modules/gallery/controllers/flash_uploader.php
index f7da5124..be3896cd 100644
--- a/modules/gallery/controllers/flash_uploader.php
+++ b/modules/gallery/controllers/flash_uploader.php
@@ -26,7 +26,8 @@ class Flash_Uploader_Controller extends Controller {
       $item = $item->parent();
     }
 
-    print $this->_get_add_form($item);
+    print json_encode(array("form" => (string)$this->_get_add_form($item)));
+    //print $this->_get_add_form($item);
   }
 
   public function start() {
diff --git a/modules/gallery/controllers/login.php b/modules/gallery/controllers/login.php
index 2b60316b..b823504b 100644
--- a/modules/gallery/controllers/login.php
+++ b/modules/gallery/controllers/login.php
@@ -22,7 +22,7 @@ class Login_Controller extends Controller {
   public function ajax() {
     $view = new View("login_ajax.html");
     $view->form = auth::get_login_form("login/auth_ajax");
-    print $view;
+    print json_encode(array("form" => (string) $view));
   }
 
   public function auth_ajax() {
diff --git a/modules/gallery/controllers/move.php b/modules/gallery/controllers/move.php
index f8b85b6f..a99ef341 100644
--- a/modules/gallery/controllers/move.php
+++ b/modules/gallery/controllers/move.php
@@ -26,7 +26,7 @@ class Move_Controller extends Controller {
     $view = new View("move_browse.html");
     $view->source = $source;
     $view->tree = $this->_get_tree_html($source, ORM::factory("item", 1));
-    print $view;
+    print json_encode(array("form" => (string) $view));
   }
 
   public function save($source_id) {
diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php
index 16d22d90..c18dbcde 100644
--- a/modules/gallery/controllers/movies.php
+++ b/modules/gallery/controllers/movies.php
@@ -102,6 +102,6 @@ class Movies_Controller extends Items_Controller {
     access::required("view", $movie);
     access::required("edit", $movie);
 
-    print movie::get_edit_form($movie);
+    print json_encode(array("form" => (string) movie::get_edit_form($movie)));
   }
 }
diff --git a/modules/gallery/controllers/permissions.php b/modules/gallery/controllers/permissions.php
index fc06cb44..8fdda7b2 100644
--- a/modules/gallery/controllers/permissions.php
+++ b/modules/gallery/controllers/permissions.php
@@ -33,7 +33,7 @@ class Permissions_Controller extends Controller {
     $view->parents = $item->parents();
     $view->form = $this->_get_form($item);
 
-    print $view;
+    print json_encode(array("form" => (string) $view));
   }
 
   function form($id) {
diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php
index f336d07c..9f17cebb 100644
--- a/modules/gallery/controllers/photos.php
+++ b/modules/gallery/controllers/photos.php
@@ -24,9 +24,9 @@ class Photos_Controller extends Items_Controller {
       // sure that we're actually receiving an object
       throw new Kohana_404_Exception();
     }
-  
+
     access::required("view", $photo);
-  
+
     $where = array(array("type", "!=", "album"));
     $position = $photo->parent()->get_position($photo, $where);
     if ($position > 1) {
@@ -102,6 +102,6 @@ class Photos_Controller extends Items_Controller {
     access::required("view", $photo);
     access::required("edit", $photo);
 
-    print photo::get_edit_form($photo);
+    print json_encode(array("form" => (string) photo::get_edit_form($photo)));
   }
 }
diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php
index 6cfbbc62..7df5bf18 100644
--- a/modules/gallery/controllers/quick.php
+++ b/modules/gallery/controllers/quick.php
@@ -90,17 +90,10 @@ class Quick_Controller extends Controller {
     access::required("view", $item);
     access::required("edit", $item);
 
-    if ($item->is_album()) {
-      print t(
-        "Delete the album <b>%title</b>? All photos and movies in the album will also be deleted.",
-        array("title" => html::purify($item->title)));
-    } else {
-      print t("Are you sure you want to delete <b>%title</b>?",
-              array("title" => html::purify($item->title)));
-    }
-
-    $form = item::get_delete_form($item);
-    print $form;
+    $v = new View("quick_delete_confirm.html");
+    $v->item = $item;
+    $v->form = item::get_delete_form($item);
+    print json_encode(array("form" => (string) $v));
   }
 
   public function delete($id) {
@@ -149,6 +142,6 @@ class Quick_Controller extends Controller {
     // Pass on the source item where this form was generated, so we have an idea where to return to.
     $form->hidden("from_id")->value((int)Input::instance()->get("from_id", 0));
 
-    print $form;
+    print json_encode(array("form" => (string) $form));
   }
 }
diff --git a/modules/gallery/controllers/user_profile.php b/modules/gallery/controllers/user_profile.php
index c064e791..431918ff 100644
--- a/modules/gallery/controllers/user_profile.php
+++ b/modules/gallery/controllers/user_profile.php
@@ -44,7 +44,7 @@ class User_Profile_Controller extends Controller {
 
   public function contact($id) {
     $user = identity::lookup_user($id);
-    print user_profile::get_contact_form($user);
+    print json_encode(array("form" => (string) user_profile::get_contact_form($user)));
   }
 
   public function send($id) {
diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt
index 26edaebc..475f75c1 100644
--- a/modules/gallery/tests/xss_data.txt
+++ b/modules/gallery/tests/xss_data.txt
@@ -253,6 +253,7 @@ modules/gallery/views/permissions_form.html.php              75  DIRTY_JS $item-
 modules/gallery/views/permissions_form.html.php              80  DIRTY_JS $group->id
 modules/gallery/views/permissions_form.html.php              80  DIRTY_JS $permission->id
 modules/gallery/views/permissions_form.html.php              80  DIRTY_JS $item->id
+modules/gallery/views/quick_delete_confirm.html.php          11  DIRTY    $form
 modules/gallery/views/reauthenticate.html.php                9   DIRTY    $form
 modules/gallery/views/upgrader.html.php                      57  DIRTY_ATTR $done?"muted":""
 modules/gallery/views/upgrader.html.php                      61  DIRTY_ATTR $done?"muted":""
diff --git a/modules/gallery/views/move_browse.html.php b/modules/gallery/views/move_browse.html.php
index ce3fc2fd..f77c724c 100644
--- a/modules/gallery/views/move_browse.html.php
+++ b/modules/gallery/views/move_browse.html.php
@@ -1,4 +1,5 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
+<div>
 <script type="text/javascript">
  var load_tree = function(target_id, locked) {
    var load_url = "<?= url::site("move/show_sub_tree/{$source->id}/__TARGETID__") ?>";
@@ -24,13 +25,13 @@
    }
  }
 </script>
-<h1 style="display: none">
+<h1 style="display:none" >
   <? if ($source->type == "photo"): ?>
-  <? t("Move this photo to a new album") ?>
+  <?= t("Move this photo to a new album") ?>
   <? elseif ($source->type == "movie"): ?>
-  <? t("Move this movie to a new album") ?>
+  <?= t("Move this movie to a new album") ?>
   <? elseif ($source->type == "album"): ?>
-  <? t("Move this album to a new album") ?>
+  <?= t("Move this album to a new album") ?>
   <? endif ?>
 </h1>
 <div id="g-move">
@@ -42,6 +43,8 @@
   <form method="post" action="<?= url::site("move/save/$source->id") ?>">
     <?= access::csrf_form_field() ?>
     <input type="hidden" name="target_id" value="" />
-    <input type="submit" id="g-move-button" value="<?= t("Move")->for_html_attr() ?>" disabled="disabled"/>
+    <input type="submit" id="g-move-button" value="<?= t("Move")->for_html_attr() ?>"
+       disabled="disabled" class="submit" />
   </form>
 </div>
+</div>
diff --git a/modules/gallery/views/quick_delete_confirm.html.php b/modules/gallery/views/quick_delete_confirm.html.php
new file mode 100644
index 00000000..176ffb96
--- /dev/null
+++ b/modules/gallery/views/quick_delete_confirm.html.php
@@ -0,0 +1,12 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<div class="ui-helper-clearfix">
+  <p>
+  <? if ($item->is_album()): ?>
+    <?= t("Delete the album <b>%title</b>? All photos and movies in the album will also be deleted.",
+          array("title" => html::purify($item->title))) ?>
+  <? else: ?>
+    <?= t("Are you sure you want to delete <b>%title</b>?", array("title" => html::purify($item->title))) ?>
+  <? endif ?>
+  </p>
+  <?= $form ?>
+</div>