diff options
23 files changed, 62 insertions, 51 deletions
diff --git a/lib/gallery.dialog.js b/lib/gallery.dialog.js index 6ec8c634..1e91e3ae 100644 --- a/lib/gallery.dialog.js +++ b/lib/gallery.dialog.js @@ -1,3 +1,4 @@ + (function($) { $.widget("ui.gallery_dialog", { _init: function() { @@ -26,8 +27,8 @@ $("#g-dialog").gallery_show_loading(); - $.get(sHref, function(data) { - $("#g-dialog").html(data).gallery_show_loading(); + $.getJSON(sHref, function(data) { + $("#g-dialog").html(unescape(data.form)).gallery_show_loading(); if ($("#g-dialog form").length) { self.form_loaded(null, $("#g-dialog form")); diff --git a/modules/exif/controllers/exif.php b/modules/exif/controllers/exif.php index 2fe875e3..fe5b2ff4 100644 --- a/modules/exif/controllers/exif.php +++ b/modules/exif/controllers/exif.php @@ -28,6 +28,6 @@ class Exif_Controller extends Controller { $view = new View("exif_dialog.html"); $view->details = exif::get($item); - print $view; + print json_encode(array("form" => (string) $view)); } } diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php index 6f4e9403..2bbbdf50 100644 --- a/modules/gallery/controllers/admin_advanced_settings.php +++ b/modules/gallery/controllers/admin_advanced_settings.php @@ -39,7 +39,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller { $group->input("var_name")->label(t("Setting"))->value($var_name)->disabled(1); $group->textarea("value")->label(t("Value"))->value($value); $group->submit("")->value(t("Save")); - print $form; + print json_encode(array("form" => (string) $form)); } public function save($module_name, $var_name) { diff --git a/modules/gallery/controllers/admin_maintenance.php b/modules/gallery/controllers/admin_maintenance.php index d6a2d191..489f5d54 100644 --- a/modules/gallery/controllers/admin_maintenance.php +++ b/modules/gallery/controllers/admin_maintenance.php @@ -64,7 +64,7 @@ class Admin_Maintenance_Controller extends Admin_Controller { log::info("tasks", t("Task %task_name started (task id %task_id)", array("task_name" => $task->name, "task_id" => $task->id)), html::anchor("admin/maintenance", t("maintenance"))); - print $view; + print json_encode(array("form" => (string) $view)); } /** @@ -86,7 +86,7 @@ class Admin_Maintenance_Controller extends Admin_Controller { log::info("tasks", t("Task %task_name resumed (task id %task_id)", array("task_name" => $task->name, "task_id" => $task->id)), html::anchor("admin/maintenance", t("maintenance"))); - print $view; + print json_encode(array("form" => (string) $view)); } /** @@ -103,7 +103,7 @@ class Admin_Maintenance_Controller extends Admin_Controller { $view = new View("admin_maintenance_show_log.html"); $view->task = $task; - print $view; + print json_encode(array("form" => (string) $view)); } /** diff --git a/modules/gallery/controllers/admin_themes.php b/modules/gallery/controllers/admin_themes.php index e59eadaf..b1bd438f 100644 --- a/modules/gallery/controllers/admin_themes.php +++ b/modules/gallery/controllers/admin_themes.php @@ -52,7 +52,7 @@ class Admin_Themes_Controller extends Admin_Controller { } else { $view->url = item::root()->url("theme=$theme_name"); } - print $view; + print json_encode(array("form" => (string) $view)); } public function choose($type, $theme_name) { diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index eaa09be5..8aed1341 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -168,7 +168,7 @@ class Albums_Controller extends Items_Controller { access::required("view", $album); access::required("add", $album); - print album::get_add_form($album); + print json_encode(array("form" => (string) album::get_add_form($album))); } public function form_edit($album_id) { @@ -176,6 +176,6 @@ class Albums_Controller extends Items_Controller { access::required("view", $album); access::required("edit", $album); - print album::get_edit_form($album); + print json_encode(array("form" => (string) album::get_edit_form($album))); } } diff --git a/modules/gallery/controllers/flash_uploader.php b/modules/gallery/controllers/flash_uploader.php index f7da5124..be3896cd 100644 --- a/modules/gallery/controllers/flash_uploader.php +++ b/modules/gallery/controllers/flash_uploader.php @@ -26,7 +26,8 @@ class Flash_Uploader_Controller extends Controller { $item = $item->parent(); } - print $this->_get_add_form($item); + print json_encode(array("form" => (string)$this->_get_add_form($item))); + //print $this->_get_add_form($item); } public function start() { diff --git a/modules/gallery/controllers/login.php b/modules/gallery/controllers/login.php index 2b60316b..b823504b 100644 --- a/modules/gallery/controllers/login.php +++ b/modules/gallery/controllers/login.php @@ -22,7 +22,7 @@ class Login_Controller extends Controller { public function ajax() { $view = new View("login_ajax.html"); $view->form = auth::get_login_form("login/auth_ajax"); - print $view; + print json_encode(array("form" => (string) $view)); } public function auth_ajax() { diff --git a/modules/gallery/controllers/move.php b/modules/gallery/controllers/move.php index f8b85b6f..a99ef341 100644 --- a/modules/gallery/controllers/move.php +++ b/modules/gallery/controllers/move.php @@ -26,7 +26,7 @@ class Move_Controller extends Controller { $view = new View("move_browse.html"); $view->source = $source; $view->tree = $this->_get_tree_html($source, ORM::factory("item", 1)); - print $view; + print json_encode(array("form" => (string) $view)); } public function save($source_id) { diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php index 16d22d90..c18dbcde 100644 --- a/modules/gallery/controllers/movies.php +++ b/modules/gallery/controllers/movies.php @@ -102,6 +102,6 @@ class Movies_Controller extends Items_Controller { access::required("view", $movie); access::required("edit", $movie); - print movie::get_edit_form($movie); + print json_encode(array("form" => (string) movie::get_edit_form($movie))); } } diff --git a/modules/gallery/controllers/permissions.php b/modules/gallery/controllers/permissions.php index fc06cb44..8fdda7b2 100644 --- a/modules/gallery/controllers/permissions.php +++ b/modules/gallery/controllers/permissions.php @@ -33,7 +33,7 @@ class Permissions_Controller extends Controller { $view->parents = $item->parents(); $view->form = $this->_get_form($item); - print $view; + print json_encode(array("form" => (string) $view)); } function form($id) { diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index f336d07c..9f17cebb 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -24,9 +24,9 @@ class Photos_Controller extends Items_Controller { // sure that we're actually receiving an object throw new Kohana_404_Exception(); } - + access::required("view", $photo); - + $where = array(array("type", "!=", "album")); $position = $photo->parent()->get_position($photo, $where); if ($position > 1) { @@ -102,6 +102,6 @@ class Photos_Controller extends Items_Controller { access::required("view", $photo); access::required("edit", $photo); - print photo::get_edit_form($photo); + print json_encode(array("form" => (string) photo::get_edit_form($photo))); } } diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php index 6cfbbc62..7df5bf18 100644 --- a/modules/gallery/controllers/quick.php +++ b/modules/gallery/controllers/quick.php @@ -90,17 +90,10 @@ class Quick_Controller extends Controller { access::required("view", $item); access::required("edit", $item); - if ($item->is_album()) { - print t( - "Delete the album <b>%title</b>? All photos and movies in the album will also be deleted.", - array("title" => html::purify($item->title))); - } else { - print t("Are you sure you want to delete <b>%title</b>?", - array("title" => html::purify($item->title))); - } - - $form = item::get_delete_form($item); - print $form; + $v = new View("quick_delete_confirm.html"); + $v->item = $item; + $v->form = item::get_delete_form($item); + print json_encode(array("form" => (string) $v)); } public function delete($id) { @@ -149,6 +142,6 @@ class Quick_Controller extends Controller { // Pass on the source item where this form was generated, so we have an idea where to return to. $form->hidden("from_id")->value((int)Input::instance()->get("from_id", 0)); - print $form; + print json_encode(array("form" => (string) $form)); } } diff --git a/modules/gallery/controllers/user_profile.php b/modules/gallery/controllers/user_profile.php index c064e791..431918ff 100644 --- a/modules/gallery/controllers/user_profile.php +++ b/modules/gallery/controllers/user_profile.php @@ -44,7 +44,7 @@ class User_Profile_Controller extends Controller { public function contact($id) { $user = identity::lookup_user($id); - print user_profile::get_contact_form($user); + print json_encode(array("form" => (string) user_profile::get_contact_form($user))); } public function send($id) { diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 26edaebc..475f75c1 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -253,6 +253,7 @@ modules/gallery/views/permissions_form.html.php 75 DIRTY_JS $item- modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $group->id modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $permission->id modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $item->id +modules/gallery/views/quick_delete_confirm.html.php 11 DIRTY $form modules/gallery/views/reauthenticate.html.php 9 DIRTY $form modules/gallery/views/upgrader.html.php 57 DIRTY_ATTR $done?"muted":"" modules/gallery/views/upgrader.html.php 61 DIRTY_ATTR $done?"muted":"" diff --git a/modules/gallery/views/move_browse.html.php b/modules/gallery/views/move_browse.html.php index ce3fc2fd..f77c724c 100644 --- a/modules/gallery/views/move_browse.html.php +++ b/modules/gallery/views/move_browse.html.php @@ -1,4 +1,5 @@ <?php defined("SYSPATH") or die("No direct script access.") ?> +<div> <script type="text/javascript"> var load_tree = function(target_id, locked) { var load_url = "<?= url::site("move/show_sub_tree/{$source->id}/__TARGETID__") ?>"; @@ -24,13 +25,13 @@ } } </script> -<h1 style="display: none"> +<h1 style="display:none" > <? if ($source->type == "photo"): ?> - <? t("Move this photo to a new album") ?> + <?= t("Move this photo to a new album") ?> <? elseif ($source->type == "movie"): ?> - <? t("Move this movie to a new album") ?> + <?= t("Move this movie to a new album") ?> <? elseif ($source->type == "album"): ?> - <? t("Move this album to a new album") ?> + <?= t("Move this album to a new album") ?> <? endif ?> </h1> <div id="g-move"> @@ -42,6 +43,8 @@ <form method="post" action="<?= url::site("move/save/$source->id") ?>"> <?= access::csrf_form_field() ?> <input type="hidden" name="target_id" value="" /> - <input type="submit" id="g-move-button" value="<?= t("Move")->for_html_attr() ?>" disabled="disabled"/> + <input type="submit" id="g-move-button" value="<?= t("Move")->for_html_attr() ?>" + disabled="disabled" class="submit" /> </form> </div> +</div> diff --git a/modules/gallery/views/quick_delete_confirm.html.php b/modules/gallery/views/quick_delete_confirm.html.php new file mode 100644 index 00000000..176ffb96 --- /dev/null +++ b/modules/gallery/views/quick_delete_confirm.html.php @@ -0,0 +1,12 @@ +<?php defined("SYSPATH") or die("No direct script access.") ?> +<div class="ui-helper-clearfix"> + <p> + <? if ($item->is_album()): ?> + <?= t("Delete the album <b>%title</b>? All photos and movies in the album will also be deleted.", + array("title" => html::purify($item->title))) ?> + <? else: ?> + <?= t("Are you sure you want to delete <b>%title</b>?", array("title" => html::purify($item->title))) ?> + <? endif ?> + </p> + <?= $form ?> +</div> diff --git a/modules/organize/controllers/organize.php b/modules/organize/controllers/organize.php index 135a6fc9..ebd40c8d 100644 --- a/modules/organize/controllers/organize.php +++ b/modules/organize/controllers/organize.php @@ -47,7 +47,7 @@ class Organize_Controller extends Controller { $v->controller_uri = url::site("organize") . "/"; $v->swf_uri = url::file("modules/organize/lib/Gallery3WebClient.swf?") . filemtime(MODPATH . "organize/lib/Gallery3WebClient.swf"); - print $v; + print json_encode(array("form" => (string) $v)); } function add_album_fields() { diff --git a/modules/server_add/controllers/server_add.php b/modules/server_add/controllers/server_add.php index 715274ab..d6c2459d 100644 --- a/modules/server_add/controllers/server_add.php +++ b/modules/server_add/controllers/server_add.php @@ -30,7 +30,7 @@ class Server_Add_Controller extends Admin_Controller { $view->tree = new View("server_add_tree.html"); $view->tree->files = $files; $view->tree->parents = array(); - print $view; + print json_encode(array("form" => (string) $view)); } public function children() { diff --git a/modules/tag/controllers/admin_tags.php b/modules/tag/controllers/admin_tags.php index 9e875d14..c2da7bc3 100644 --- a/modules/tag/controllers/admin_tags.php +++ b/modules/tag/controllers/admin_tags.php @@ -37,7 +37,7 @@ class Admin_Tags_Controller extends Admin_Controller { public function form_delete($id) { $tag = ORM::factory("tag", $id); if ($tag->loaded()) { - print tag::get_delete_form($tag); + print json_encode(array("form" => (string) tag::get_delete_form($tag))); } } diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php index e14be393..b9d06891 100644 --- a/modules/user/controllers/admin_users.php +++ b/modules/user/controllers/admin_users.php @@ -61,7 +61,7 @@ class Admin_Users_Controller extends Admin_Controller { } public function add_user_form() { - print $this->_get_user_add_form_admin(); + print json_encode(array("form" => (string) $this->_get_user_add_form_admin())); } public function delete_user($id) { @@ -95,7 +95,7 @@ class Admin_Users_Controller extends Admin_Controller { if (empty($user)) { throw new Kohana_404_Exception(); } - print $this->_get_user_delete_form_admin($user); + print json_encode(array("form" => (string) $this->_get_user_delete_form_admin($user))); } public function edit_user($id) { @@ -146,7 +146,7 @@ class Admin_Users_Controller extends Admin_Controller { throw new Kohana_404_Exception(); } - print $this->_get_user_edit_form_admin($user); + print json_encode(array("form" => (string) $this->_get_user_edit_form_admin($user))); } public function add_user_to_group($user_id, $group_id) { @@ -199,7 +199,7 @@ class Admin_Users_Controller extends Admin_Controller { } public function add_group_form() { - print $this->_get_group_add_form_admin(); + print json_encode(array("form" => (string) $this->_get_group_add_form_admin())); } public function delete_group($id) { @@ -230,7 +230,7 @@ class Admin_Users_Controller extends Admin_Controller { throw new Kohana_404_Exception(); } - print $this->_get_group_delete_form_admin($group); + print json_encode(array("form" => (string) $this->_get_group_delete_form_admin($group))); } public function edit_group($id) { @@ -272,7 +272,7 @@ class Admin_Users_Controller extends Admin_Controller { throw new Kohana_404_Exception(); } - print $this->_get_group_edit_form_admin($group); + print json_encode(array("form" => (string) $this->_get_group_edit_form_admin($group))); } /* User Form Definitions */ diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php index 7f3f6b1f..4ddfb47c 100644 --- a/modules/user/controllers/users.php +++ b/modules/user/controllers/users.php @@ -139,7 +139,7 @@ class Users_Controller extends Controller { access::forbidden(); } - print $this->_get_edit_form($user); + print json_encode(array("form" => (string) $this->_get_edit_form($user))); } public function form_change_password($id) { @@ -148,7 +148,7 @@ class Users_Controller extends Controller { access::forbidden(); } - print $this->_get_change_password_form($user); + print json_encode(array("form" => (string) $this->_get_change_password_form($user))); } public function form_change_email($id) { @@ -157,7 +157,7 @@ class Users_Controller extends Controller { access::forbidden(); } - print $this->_get_change_email_form($user); + print json_encode(array("form" => (string) $this->_get_change_email_form($user))); } private function _get_change_password_form($user) { diff --git a/modules/watermark/controllers/admin_watermarks.php b/modules/watermark/controllers/admin_watermarks.php index 18b463ca..8b217b4a 100644 --- a/modules/watermark/controllers/admin_watermarks.php +++ b/modules/watermark/controllers/admin_watermarks.php @@ -35,7 +35,7 @@ class Admin_Watermarks_Controller extends Admin_Controller { } public function form_edit() { - print watermark::get_edit_form(); + print json_encode(array("form" => (string) watermark::get_edit_form())); } public function edit() { @@ -58,7 +58,7 @@ class Admin_Watermarks_Controller extends Admin_Controller { } public function form_delete() { - print watermark::get_delete_form(); + print json_encode(array("form" => (string) watermark::get_delete_form())); } public function delete() { @@ -88,7 +88,7 @@ class Admin_Watermarks_Controller extends Admin_Controller { } public function form_add() { - print watermark::get_add_form(); + print json_encode(array("form" => (string) watermark::get_add_form())); } public function add() { |