Run all variables that come from user-entered data through p::clean()

2 files changed, 4 insertions, 4 deletions

diff --git a/modules/server_add/views/server_add_tree.html.php b/modules/server_add/views/server_add_tree.html.php
index 69ff09a6..b7b494e4 100644
--- a/modules/server_add/views/server_add_tree.html.php
+++ b/modules/server_add/views/server_add_tree.html.php
@@ -16,7 +16,7 @@ $("#<?= $tree_id ?>").ready(function() {
     <? if (!empty($file_info["is_dir"])): ?>
     <span class="ui-icon ui-icon-plus"></span>
     <? endif ?>
-    <label> <?= form::checkbox("checkbox[]", $file_info["path"]) . " $file" ?> </label>
+    <label> <?= form::checkbox("checkbox[]", p::clean($file_info["path"])) . " " . p::clean($file) ?> </label>
   </li>
   <? endforeach ?>
 </ul>
diff --git a/modules/server_add/views/server_add_tree_dialog.html.php b/modules/server_add/views/server_add_tree_dialog.html.php
index c8eb6a1c..f600ce60 100644
--- a/modules/server_add/views/server_add_tree_dialog.html.php
+++ b/modules/server_add/views/server_add_tree_dialog.html.php
@@ -5,14 +5,14 @@
 </script>
 <?= html::script("modules/server_add/js/server_add.js"); ?>
 <div id="gServerAdd">
-  <h1 style="display: none;"><?= sprintf(t("Add Photos to '%s'"), $album_title) ?></h1>
+  <h1 style="display: none;"><?= t("Add Photos to '%title'", array("title" => p::clean($album_title))) ?></h1>
 
   <p id="gDescription"><?= t("Photos will be added to album:") ?></p>
   <ul class="gBreadcrumbs">
     <? foreach ($parents as $parent): ?>
-    <li><?= $parent->title ?></li>
+    <li><?= p::clean($parent->title) ?></li>
     <? endforeach ?>
-    <li class="active"><?= $album_title ?></li>
+    <li class="active"><?= p::clean($album_title) ?></li>
   </ul>
 
   <?= form::open($action, array("method" => "post")) ?>