Fix XSS vectors in HTML attributes (mostly t() calls)

author: Andy Staudacher <andy.st@gmail.com> 2009-08-31 21:51:57 -0700
committer: Andy Staudacher <andy.st@gmail.com> 2009-08-31 21:51:57 -0700
commit: 2bc73e2e36fefc3c1ee1b8e97e686c6729e58dcb (patch)
tree: c511db2684ea957572a1d27caf49a08963ef8484 /modules
parent: 8c3a2db3803ccaa3572f0bf061ca7faf62f13fca (diff)
21 files changed, 59 insertions, 59 deletions
diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php
index dc3975e0..2afa5bf8 100644
--- a/modules/comment/views/admin_block_recent_comments.html.php
+++ b/modules/comment/views/admin_block_recent_comments.html.php
@@ -4,7 +4,7 @@
   <li class="<?= ($i % 2 == 0) ? "gEvenRow" : "gOddRow" ?>">
     <img src="<?= $comment->author()->avatar_url(32, $theme->url("images/avatar.jpg", true)) ?>"
          class="gAvatar"
-         alt="<?= html::clean($comment->author_name()) ?>"
+         alt="<?= html::clean_attribute($comment->author_name()) ?>"
          width="32"
          height="32" />
     <?= gallery::date_time($comment->created) ?>
diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php
index 588c3ebc..f5970ae1 100644
--- a/modules/comment/views/admin_comments.html.php
+++ b/modules/comment/views/admin_comments.html.php
@@ -122,7 +122,7 @@
             <a href="<?= $item->url() ?>">
               <? if ($item->has_thumb()): ?>
               <img src="<?= $item->thumb_url() ?>"
-                 alt="<?= html::purify($item->title) ?>"
+                 alt="<?= html::purify($item->title)->for_html_attr() ?>"
                  <?= photo::img_dimensions($item->thumb_width, $item->thumb_height, 75) ?>
               />
               <? else: ?>
diff --git a/modules/comment/views/comment.html.php b/modules/comment/views/comment.html.php
index 1d0786cb..ce4e197d 100644
--- a/modules/comment/views/comment.html.php
+++ b/modules/comment/views/comment.html.php
@@ -4,7 +4,7 @@
     <a href="#">
       <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
            class="gAvatar"
-           alt="<?= html::clean($comment->author_name()) ?>"
+           alt="<?= html::clean_attribute($comment->author_name()) ?>"
            width="40"
            height="40" />
     </a>
diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php
index 1e45c946..b7ebdf3a 100644
--- a/modules/comment/views/comments.html.php
+++ b/modules/comment/views/comments.html.php
@@ -18,7 +18,7 @@
       <a href="#">
         <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
              class="gAvatar"
-             alt="<?= html::clean($comment->author_name()) ?>"
+             alt="<?= html::clean_attribute($comment->author_name()) ?>"
              width="40"
              height="40" />
       </a>
diff --git a/modules/exif/views/exif_sidebar.html.php b/modules/exif/views/exif_sidebar.html.php
index ee528613..60c0e1d4 100644
--- a/modules/exif/views/exif_sidebar.html.php
+++ b/modules/exif/views/exif_sidebar.html.php
@@ -1,5 +1,5 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<a id="gExifDataLink" href="<?= url::site("exif/show/{$item->id}") ?>" title="<?= t("Photo Details") ?>"
+<a id="gExifDataLink" href="<?= url::site("exif/show/{$item->id}") ?>" title="<?= t("Photo Details")->for_html_attr() ?>"
   class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all">
   <span class="ui-icon ui-icon-info"></span>
   <?= t("View more information") ?>
diff --git a/modules/gallery/views/admin_advanced_settings.html.php b/modules/gallery/views/admin_advanced_settings.html.php
index 4235e8f8..c3595da5 100644
--- a/modules/gallery/views/admin_advanced_settings.html.php
+++ b/modules/gallery/views/admin_advanced_settings.html.php
@@ -24,7 +24,7 @@
       <td>
         <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . html::clean($var->name)) ?>"
           class="gDialogLink"
-          title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name)) ?>">
+          title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name))->for_html_attr() ?>">
           <? if ($var->value): ?>
           <?= html::clean($var->value) ?>
           <? else: ?>
diff --git a/modules/gallery/views/admin_block_photo_stream.html.php b/modules/gallery/views/admin_block_photo_stream.html.php
index a50836ad..1b9d8ff5 100644
--- a/modules/gallery/views/admin_block_photo_stream.html.php
+++ b/modules/gallery/views/admin_block_photo_stream.html.php
@@ -2,9 +2,9 @@
 <ul>
 <? foreach ($photos as $photo): ?>
   <li class="gItem gPhoto">
-    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::clean($photo->title) ?>">
+    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::purify($photo->title)->for_html_attr() ?>">
       <img <?= photo::img_dimensions($photo->width, $photo->height, 72) ?>
-        src="<?= $photo->thumb_url() ?>" alt="<?= html::clean($photo->title) ?>" />
+        src="<?= $photo->thumb_url() ?>" alt="<?= html::purify($photo->title)->for_html_attr() ?>" />
     </a>
   </li>
 <? endforeach ?>
diff --git a/modules/gallery/views/admin_modules.html.php b/modules/gallery/views/admin_modules.html.php
index 168e20d0..9cf03cb3 100644
--- a/modules/gallery/views/admin_modules.html.php
+++ b/modules/gallery/views/admin_modules.html.php
@@ -27,6 +27,6 @@
       <? $i++ ?>
       <? endforeach ?>
     </table>
-    <input type="submit" value="<?= t("Update") ?>"/>
+    <input type="submit" value="<?= t("Update")->for_html_attr() ?>"/>
   </form>
 </div>
diff --git a/modules/gallery/views/admin_themes.html.php b/modules/gallery/views/admin_themes.html.php
index dc13a6a0..0aac4717 100644
--- a/modules/gallery/views/admin_themes.html.php
+++ b/modules/gallery/views/admin_themes.html.php
@@ -16,7 +16,7 @@
   <h2> <?= t("Gallery theme") ?> </h2>
   <div class="gBlock gSelected">
     <img src="<?= url::file("themes/{$site}/thumbnail.png") ?>"
-         alt="<?= $themes[$site]->name ?>" />
+         alt="<?= html::clean_attribute($themes[$site]->name) ?>" />
     <h3> <?= $themes[$site]->name ?> </h3>
     <p>
       <?= $themes[$site]->description ?>
@@ -30,9 +30,9 @@
     <? if (!$info->site) continue ?>
     <? if ($id == $site) continue ?>
     <div class="gBlock">
-      <a href="<?= url::site("admin/themes/preview/site/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name)) ?>">
+      <a href="<?= url::site("admin/themes/preview/site/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name))->for_html_attr() ?>">
         <img src="<?= url::file("themes/{$id}/thumbnail.png") ?>"
-             alt="<?= $info->name ?>" />
+             alt="<?= html::clean_attribute($info->name) ?>" />
         <h3> <?= $info->name ?> </h3>
         <p>
           <?= $info->description ?>
@@ -54,7 +54,7 @@
   <h2> <?= t("Admin theme") ?> </h2>
   <div class="gBlock gSelected">
     <img src="<?= url::file("themes/{$admin}/thumbnail.png") ?>"
-         alt="<?= $themes[$admin]->name ?>" />
+         alt="<?= html::clean_attribute($themes[$admin]->name) ?>" />
     <h3> <?= $themes[$admin]->name ?> </h3>
     <p>
       <?= $themes[$admin]->description ?>
@@ -68,9 +68,9 @@
     <? if (!$info->admin) continue ?>
     <? if ($id == $admin) continue ?>
     <div class="gBlock">
-      <a href="<?= url::site("admin/themes/preview/admin/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name)) ?>">
+      <a href="<?= url::site("admin/themes/preview/admin/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name))->for_html_attr() ?>">
         <img src="<?= url::file("themes/{$id}/thumbnail.png") ?>"
-             alt="<?= $info->name ?>" />
+             alt="<?= html::clean_attribute($info->name) ?>" />
         <h3> <?= $info->name ?> </h3>
         <p>
           <?= $info->description ?>
diff --git a/modules/gallery/views/after_install.html.php b/modules/gallery/views/after_install.html.php
index b77a1707..897946a2 100644
--- a/modules/gallery/views/after_install.html.php
+++ b/modules/gallery/views/after_install.html.php
@@ -13,7 +13,7 @@
 
 <p>
   <a href="<?= url::site("form/edit/users/{$user->id}") ?>"
-    title="<?= t("Edit Your Profile") ?>"
+    title="<?= t("Edit Your Profile")->for_html_attr() ?>"
     id="gAfterInstallChangePasswordLink" class="gButtonLink ui-state-default ui-corners-all"><?= t("Change Password Now") ?></a>
   <script>
     $("#gAfterInstallChangePasswordLink").gallery_dialog();
diff --git a/modules/gallery/views/after_install_loader.html.php b/modules/gallery/views/after_install_loader.html.php
index 54484963..c2e3e1d9 100644
--- a/modules/gallery/views/after_install_loader.html.php
+++ b/modules/gallery/views/after_install_loader.html.php
@@ -1,6 +1,6 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <span id="gAfterInstall"
-      title="<?= t("Welcome to Gallery 3") ?>"
+      title="<?= t("Welcome to Gallery 3")->for_html_attr() ?>"
       href="<?= url::site("after_install") ?>"/>
 <script type="text/javascript">
   $(document).ready(function(){$("#gAfterInstall").gallery_dialog({immediate: true});});
diff --git a/modules/gallery/views/l10n_client.html.php b/modules/gallery/views/l10n_client.html.php
index c68a63c8..3a43f7d3 100644
--- a/modules/gallery/views/l10n_client.html.php
+++ b/modules/gallery/views/l10n_client.html.php
@@ -66,7 +66,7 @@
           (<a href="http://www.unicode.org/cldr/data/charts/supplemental/language_plural_rules.html"><?= t("learn more about plural forms") ?></a>)
           <?= form::textarea("l10n-edit-plural-translation-other", "", ' rows="2"') ?>
         </div>
-        <input type="submit" name="l10n-edit-save" value="<?= t("Save translation") ?>"/>
+        <input type="submit" name="l10n-edit-save" value="<?= t("Save translation")->for_html_attr() ?>"/>
         <a href="javascript: Gallery.l10nClient.copySourceText()"
            class="gButtonLink ui-state-default ui-corner-all"><?= t("Copy source text") ?></a>
       </form>
diff --git a/modules/gallery/views/move_browse.html.php b/modules/gallery/views/move_browse.html.php
index 4f69c0e9..99728ecc 100644
--- a/modules/gallery/views/move_browse.html.php
+++ b/modules/gallery/views/move_browse.html.php
@@ -42,6 +42,6 @@
   <form method="post" action="<?= url::site("move/save/$source->id") ?>">
     <?= access::csrf_form_field() ?>
     <input type="hidden" name="target_id" value="" />
-    <input type="submit" id="gMoveButton" value="<?= t("Move") ?>" disabled="disabled"/>
+    <input type="submit" id="gMoveButton" value="<?= t("Move")->for_html_attr() ?>" disabled="disabled"/>
   </form>
 </div>
diff --git a/modules/gallery/views/permissions_form.html.php b/modules/gallery/views/permissions_form.html.php
index e6b217c5..a0bb35f2 100644
--- a/modules/gallery/views/permissions_form.html.php
+++ b/modules/gallery/views/permissions_form.html.php
@@ -20,9 +20,9 @@
 
         <? if ($lock): ?>
           <td class="gDenied">
-            <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" title="<?= t('denied and locked through parent album') ?>" alt="<?= t('denied icon') ?>" />
-            <a href="javascript:show(<?= $lock->id ?>)" title="<?= t('click to go to parent album') ?>">
-              <img src="<?= url::file('themes/default/images/ico-lock.png') ?>" alt="<?= t('locked icon') ?>" />
+            <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" title="<?= t('denied and locked through parent album')->for_html_attr() ?>" alt="<?= t('denied icon')->for_html_attr() ?>" />
+            <a href="javascript:show(<?= $lock->id ?>)" title="<?= t('click to go to parent album')->for_html_attr() ?>">
+              <img src="<?= url::file('themes/default/images/ico-lock.png') ?>" alt="<?= t('locked icon')->for_html_attr() ?>" />
             </a>
           </td>
         <? else: ?>
@@ -30,23 +30,23 @@
             <? if ($allowed): ?>
               <td class="gAllowed">
                 <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('allowed through parent album, click to allow explicitly') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-success-pale.png') ?>" alt="<?= t('passive allowed icon') ?>" />
+                  title="<?= t('allowed through parent album, click to allow explicitly')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-success-pale.png') ?>" alt="<?= t('passive allowed icon')->for_html_attr() ?>" />
                 </a>
                 <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('click to deny') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon') ?>" />
+                  title="<?= t('click to deny')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon')->for_html_attr() ?>" />
                 </a>
               </td>
             <? else: ?>
               <td class="gDenied">
                 <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('click to allow') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon') ?>" />
+                  title="<?= t('click to allow')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon')->for_html_attr() ?>" />
                 </a>
                 <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('denied through parent album, click to deny explicitly') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-denied-pale.png') ?>" alt="<?= t('passive denied icon') ?>" />
+                  title="<?= t('denied through parent album, click to deny explicitly')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-denied-pale.png') ?>" alt="<?= t('passive denied icon')->for_html_attr() ?>" />
                 </a>
               </td>
             <? endif ?>
@@ -54,31 +54,31 @@
           <? elseif ($intent === access::DENY): ?>
             <td class="gDenied">
               <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                title="<?= t('click to allow') ?>">
-                <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon') ?>" />
+                title="<?= t('click to allow')->for_html_attr() ?>">
+                <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon')->for_html_attr() ?>" />
               </a>
               <? if ($item->id == 1): ?>
-                <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon') ?>" title="<?= t('denied') ?>"/>
+                <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon')->for_html_attr() ?>" title="<?= t('denied')->for_html_attr() ?>"/>
               <? else: ?>
                 <a href="javascript:set('reset',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('denied, click to reset') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon') ?>" />
+                  title="<?= t('denied, click to reset')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon')->for_html_attr() ?>" />
                 </a>
               <? endif ?>
             </td>
           <? elseif ($intent === access::ALLOW): ?>
             <td class="gAllowed">
               <? if ($item->id == 1): ?>
-                <img src="<?= url::file('themes/default/images/ico-success.png') ?>" title="<?= t("allowed") ?>" alt="<?= t('allowed icon') ?>" />
+                <img src="<?= url::file('themes/default/images/ico-success.png') ?>" title="<?= t("allowed")->for_html_attr() ?>" alt="<?= t('allowed icon')->for_html_attr() ?>" />
               <? else: ?>
                 <a href="javascript:set('reset',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('allowed, click to reset') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-success.png') ?>" alt="<?= t('allowed icon') ?>" />
+                  title="<?= t('allowed, click to reset')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-success.png') ?>" alt="<?= t('allowed icon')->for_html_attr() ?>" />
                 </a>
               <? endif ?>
               <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                title="<?= t('click to deny') ?>">
-                <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon') ?>" />
+                title="<?= t('click to deny')->for_html_attr() ?>">
+                <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon')->for_html_attr() ?>" />
               </a>
             </td>
           <? endif ?>
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index 9cf554ec..7f8a96df 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -35,7 +35,7 @@
     <span id="gUploadQueueInfo">
       <?= t("Upload Queue") ?>
     </span>
-    <a id="gUploadCancel" title="<?= t("Cancel all the pending uploads") ?>" onclick="swfu.cancelQueue();"><?= t("cancel") ?></a>
+    <a id="gUploadCancel" title="<?= t("Cancel all the pending uploads")->for_html_attr() ?>" onclick="swfu.cancelQueue();"><?= t("cancel") ?></a>
   </p>
   <div id="gAddPhotosCanvas" style="text-align: center;">
     <div id="gAddPhotosQueue"></div>
diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php
index 731703c7..3612cbc0 100644
--- a/modules/rss/views/feed.mrss.php
+++ b/modules/rss/views/feed.mrss.php
@@ -22,25 +22,25 @@
     <lastBuildDate><?= $pub_date ?></lastBuildDate>
     <? foreach ($feed->children as $child): ?>
     <item>
-      <title><?= html::clean($child->title) ?></title>
+      <title><?= html::purify($child->title) ?></title>
       <link><?= url::abs_site("{$child->type}s/{$child->id}") ?></link>
       <guid isPermaLink="true"><?= url::abs_site("{$child->type}s/{$child->id}") ?></guid>
       <pubDate><?= date("D, d M Y H:i:s T", $child->created); ?></pubDate>
       <content:encoded>
         <![CDATA[
-          <span><?= html::clean($child->description) ?></span>
+          <span><?= html::purify($child->description) ?></span>
           <p>
           <? if ($child->type == "photo" || $child->type == "album"): ?>
             <img alt="" src="<?= $child->resize_url(true) ?>"
-                 title="<?= html::clean($child->title) ?>"
+                 title="<?= html::purify($child->title)->for_html_attr() ?>"
                  height="<?= $child->resize_height ?>" width="<?= $child->resize_width ?>" /><br />
           <? else: ?>
             <a href="<?= url::abs_site("{$child->type}s/{$child->id}") ?>">
             <img alt="" src="<?= $child->thumb_url(true) ?>"
-                 title="<?= html::clean($child->title) ?>"
+                 title="<?= html::purify($child->title)->for_html_attr() ?>"
                  height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" /></a><br />
           <? endif ?>
-            <?= html::clean($child->description) ?>
+            <?= html::purify($child->description) ?>
           </p>
         ]]>
       </content:encoded>
diff --git a/modules/search/views/search_link.html.php b/modules/search/views/search_link.html.php
index 3f1bca91..51bb4e14 100644
--- a/modules/search/views/search_link.html.php
+++ b/modules/search/views/search_link.html.php
@@ -6,7 +6,7 @@
       <input type="text" name="q" id="gSearch"/>
     </li>
     <li>
-      <input type="submit" value="<?= t("Go") ?>" />
+      <input type="submit" value="<?= t("Go")->for_html_attr() ?>" />
     </li>
   </ul>
 </form>
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 9455f9d9..c065e4b1 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -44,7 +44,7 @@
 <div class="gBlock">
   <a href="<?= url::site("admin/users/add_user_form") ?>"
       class="gDialogLink gButtonLink right ui-icon-left ui-state-default ui-corner-all"
-      title="<?= t("Create a new user") ?>">
+      title="<?= t("Create a new user")->for_html_attr() ?>">
     <span class="ui-icon ui-icon-circle-plus"></span>
     <?= t("Add a new user") ?>
   </a>
@@ -67,8 +67,8 @@
       <tr id="gUser-<?= $user->id ?>" class="<?= text::alternate("gOddRow", "gEvenRow") ?> user <?= $user->admin ? "admin" : "" ?>">
         <td id="user-<?= $user->id ?>" class="core-info gDraggable">
           <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>"
-               title="<?= t("Drag user onto group below to add as a new member") ?>"
-               alt="<?= html::clean($user->name) ?>"
+               title="<?= t("Drag user onto group below to add as a new member")->for_html_attr() ?>"
+               alt="<?= html::clean_attribute($user->name) ?>"
                width="20"
                height="20" />
           <?= html::clean($user->name) ?>
@@ -92,7 +92,7 @@
               class="gDialogLink gButtonLink ui-state-default ui-corner-all ui-icon-left">
             <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a>
           <? else: ?>
-          <span title="<?= t("This user cannot be deleted") ?>"
+          <span title="<?= t("This user cannot be deleted")->for_html_attr() ?>"
               class="gButtonLink ui-state-disabled ui-corner-all ui-icon-left">
             <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></span>
           <? endif ?>
@@ -106,7 +106,7 @@
 <div id="gGroupAdmin" class="gBlock">
   <a href="<?= url::site("admin/users/add_group_form") ?>"
       class="gDialogLink gButtonLink right ui-icon-left ui-state-default ui-corner-all"
-      title="<?= t("Create a new group") ?>">
+      title="<?= t("Create a new group")->for_html_attr() ?>">
     <span class="ui-icon ui-icon-circle-plus"></span>
     <?= t("Add a new group") ?>
   </a>
diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php
index 8418ebc9..476e0817 100644
--- a/modules/user/views/admin_users_group.html.php
+++ b/modules/user/views/admin_users_group.html.php
@@ -3,11 +3,11 @@
   <?= html::clean($group->name) ?>
   <? if (!$group->special): ?>
   <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
-    title="<?= t("Delete the %name group", array("name" => $group->name)) ?>"
+    title="<?= t("Delete the %name group", array("name" => $group->name))->for_html_attr() ?>"
     class="gDialogLink gButtonLink ui-state-default ui-corner-all">
     <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
   <? else: ?>
-  <a title="<?= t("This default group cannot be deleted") ?>"
+  <a title="<?= t("This default group cannot be deleted")->for_html_attr() ?>"
      class="gDialogLink gButtonLink ui-state-disabled ui-corner-all ui-icon-left">
     <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
   <? endif ?>
@@ -22,7 +22,7 @@
     <a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)"
        class="gButtonLink ui-state-default ui-corner-all ui-icon-left"
        title="<?= t("Remove %user from %group group",
-              array("user" => $user->name, "group" => $group->name)) ?>">
+              array("user" => $user->name, "group" => $group->name))->for_html_attr() ?>">
       <span class="ui-icon ui-icon-closethick"><?= t("remove") ?></span>
     </a>
     <? endif ?>
diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php
index 27431ce8..bb670d51 100644
--- a/modules/user/views/login.html.php
+++ b/modules/user/views/login.html.php
@@ -3,7 +3,7 @@
   <? if ($user->guest): ?>
   <li class="first">
     <a href="<?= url::site("login/ajax") ?>"
-       title="<?= t("Login to Gallery") ?>"
+       title="<?= t("Login to Gallery")->for_html_attr() ?>"
        id="gLoginLink"><?= t("Login") ?></a>
   </li>
   <? else: ?>
diff --git a/modules/watermark/views/admin_watermarks.html.php b/modules/watermark/views/admin_watermarks.html.php
index e83a7efa..ac69d21d 100644
--- a/modules/watermark/views/admin_watermarks.html.php
+++ b/modules/watermark/views/admin_watermarks.html.php
@@ -7,7 +7,7 @@
 
   <? if (empty($name)): ?>
   <a href="<?= url::site("admin/watermarks/form_add") ?>"
-     title="<?= t("Upload a watermark") ?>"
+     title="<?= t("Upload a watermark")->for_html_attr() ?>"
      class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-document-b"></span><?= t("Upload a watermark") ?></a>
   <? else: ?>
   <h2> <?= t("Active Watermark") ?> </h2>
@@ -26,10 +26,10 @@
     </div>
     <div class="controls">
       <a href="<?= url::site("admin/watermarks/form_edit") ?>"
-         title="<?= t("Edit Watermark") ?>"
+         title="<?= t("Edit Watermark")->for_html_attr() ?>"
          class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-pencil"></span><?= t("edit") ?></a>
       <a href="<?= url::site("admin/watermarks/form_delete") ?>"
-         title="<?= t("Delete Watermark") ?>"
+         title="<?= t("Delete Watermark")->for_html_attr() ?>"
          class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a>
     </div>
   </div>
author	Andy Staudacher <andy.st@gmail.com>	2009-08-31 21:51:57 -0700
committer	Andy Staudacher <andy.st@gmail.com>	2009-08-31 21:51:57 -0700
commit	2bc73e2e36fefc3c1ee1b8e97e686c6729e58dcb (patch)
tree	c511db2684ea957572a1d27caf49a08963ef8484 /modules
parent	8c3a2db3803ccaa3572f0bf061ca7faf62f13fca (diff)