Fix a bunch of XSS vulnerabilities turned up by manual inspection

using the checklist in ticket #385.

1 files changed, 3 insertions, 2 deletions

diff --git a/modules/user/controllers/login.php b/modules/user/controllers/login.php
index 54a7905e..4d901051 100644
--- a/modules/user/controllers/login.php
+++ b/modules/user/controllers/login.php
@@ -62,7 +62,8 @@ class Login_Controller extends Controller {
       if (!$user->loaded || !user::is_correct_password($user, $form->login->password->value)) {
         log::warning(
           "user",
-          t("Failed login for %name", array("name" => $form->login->inputs["name"]->value)));
+          t("Failed login for %name",
+            array("name" => p::clean($form->login->inputs["name"]->value))));
         $form->login->inputs["name"]->add_error("invalid_login", 1);
         $valid = false;
       }
@@ -70,7 +71,7 @@ class Login_Controller extends Controller {
 
     if ($valid) {
       user::login($user);
-      log::info("user", t("User %name logged in", array("name" => $user->name)));
+      log::info("user", t("User %name logged in", array("name" => p::clean($user->name))));
     }
 
     // Either way, regenerate the session id to avoid session trapping