Fix a bunch of XSS vulnerabilities turned up by manual inspection

using the checklist in ticket #385.

1 files changed, 3 insertions, 3 deletions

diff --git a/modules/organize/controllers/organize.php b/modules/organize/controllers/organize.php
index 57709cb5..5f80805c 100644
--- a/modules/organize/controllers/organize.php
+++ b/modules/organize/controllers/organize.php
@@ -283,10 +283,10 @@ class Organize_Controller extends Controller {
 
       if ($item->is_album()) {
         log::success("content", "Updated album", "<a href=\"albums/$item->id\">view</a>");
-        $message = t("Saved album %album_title", array("album_title" => $item->title));
+        $message = t("Saved album %album_title", array("album_title" => p::clean($item->title)));
       } else {
         log::success("content", "Updated photo", "<a href=\"photos/$item->id\">view</a>");
-        $message = t("Saved photo %photo_title", array("photo_title" => $item->title));
+        $message = t("Saved photo %photo_title", array("photo_title" => p::clean($item->title)));
       }
       print json_encode(array("form" => $form->__toString(), "message" => $message));
     } else {
@@ -325,7 +325,7 @@ class Organize_Controller extends Controller {
       module::event("item_updated", $orig, $item);
 
       log::success("content", "Updated album", "<a href=\"albums/$item->id\">view</a>");
-      $message = t("Saved album %album_title", array("album_title" => $item->title));
+      $message = t("Saved album %album_title", array("album_title" => p::clean($item->title)));
       print json_encode(array("form" => $form->__toString(), "message" => $message));
     } else {
       print json_encode(array("form" => $form->__toString()));