6 files changed, 18 insertions, 12 deletions

diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php
index 79bc1183..64007fdb 100644
--- a/modules/gallery/controllers/admin_advanced_settings.php
+++ b/modules/gallery/controllers/admin_advanced_settings.php
@@ -46,7 +46,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller {
     module::set_var($module_name, $var_name, Input::instance()->post("value"));
     message::success(
       t("Saved value for %var (%module_name)",
-        array("var" => $var_name, "module_name" => $module_name)));
+        array("var" => p::clean($var_name), "module_name" => $module_name)));
 
     print json_encode(array("result" => "success"));
   }
diff --git a/modules/gallery/controllers/admin_modules.php b/modules/gallery/controllers/admin_modules.php
index ed1f7665..dfa49a0e 100644
--- a/modules/gallery/controllers/admin_modules.php
+++ b/modules/gallery/controllers/admin_modules.php
@@ -56,7 +56,7 @@ class Admin_Modules_Controller extends Admin_Controller {
 
     module::event("module_change", $changes);
 
-    // @todo this type of collation is questionable from a i18n perspective
+    // @todo this type of collation is questionable from an i18n perspective
     if ($activated_names) {
       message::success(t("Activated: %names", array("names" => join(", ", $activated_names))));
     }
diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php
index 22f50fb8..d141d157 100644
--- a/modules/gallery/controllers/albums.php
+++ b/modules/gallery/controllers/albums.php
@@ -111,7 +111,8 @@ class Albums_Controller extends Items_Controller {
 
       log::success("content", "Created an album",
                html::anchor("albums/$new_album->id", "view album"));
-      message::success(t("Created album %album_title", array("album_title" => $new_album->title)));
+      message::success(
+        t("Created album %album_title", array("album_title" => p::clean($new_album->title))));
 
       print json_encode(
         array("result" => "success",
@@ -143,7 +144,8 @@ class Albums_Controller extends Items_Controller {
         user::active()->id);
 
       log::success("content", "Added a photo", html::anchor("photos/$photo->id", "view photo"));
-      message::success(t("Added photo %photo_title", array("photo_title" => $photo->title)));
+      message::success(
+        t("Added photo %photo_title", array("photo_title" => p::clean($photo->title))));
 
       print json_encode(
         array("result" => "success",
@@ -197,7 +199,8 @@ class Albums_Controller extends Items_Controller {
       module::event("item_updated", $orig, $album);
 
       log::success("content", "Updated album", "<a href=\"albums/$album->id\">view</a>");
-      message::success(t("Saved album %album_title", array("album_title" => $album->title)));
+      message::success(
+        t("Saved album %album_title", array("album_title" => p::clean($album->title))));
 
       print json_encode(
         array("result" => "success",
diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php
index d8cca825..30a5d78c 100644
--- a/modules/gallery/controllers/movies.php
+++ b/modules/gallery/controllers/movies.php
@@ -94,7 +94,8 @@ class Movies_Controller extends Items_Controller {
       module::event("item_updated", $orig, $photo);
 
       log::success("content", "Updated photo", "<a href=\"photos/$photo->id\">view</a>");
-      message::success(t("Saved photo %photo_title", array("photo_title" => $photo->title)));
+      message::success(
+        t("Saved photo %photo_title", array("photo_title" => p::clean($photo->title))));
 
       print json_encode(
         array("result" => "success",
diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php
index f5be5d59..6a62e859 100644
--- a/modules/gallery/controllers/photos.php
+++ b/modules/gallery/controllers/photos.php
@@ -87,7 +87,8 @@ class Photos_Controller extends Items_Controller {
       module::event("item_updated", $orig, $photo);
 
       log::success("content", "Updated photo", "<a href=\"photos/$photo->id\">view</a>");
-      message::success(t("Saved photo %photo_title", array("photo_title" => $photo->title)));
+      message::success(
+        t("Saved photo %photo_title", array("photo_title" => p::clean($photo->title))));
 
       print json_encode(
         array("result" => "success",
diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php
index e89d9701..5d3d8885 100644
--- a/modules/gallery/controllers/quick.php
+++ b/modules/gallery/controllers/quick.php
@@ -89,7 +89,7 @@ class Quick_Controller extends Controller {
     access::required("view", $item->parent());
     access::required("edit", $item->parent());
 
-    $msg = t("Made <b>%title</b> this album's cover", array("title" => $item->title));
+    $msg = t("Made <b>%title</b> this album's cover", array("title" => p::clean($item->title)));
 
     item::make_album_cover($item);
     message::success($msg);
@@ -105,9 +105,10 @@ class Quick_Controller extends Controller {
     if ($item->is_album()) {
       print t(
         "Delete the album <b>%title</b>? All photos and movies in the album will also be deleted.",
-        array("title" => $item->title));
+        array("title" => p::clean($item->title)));
     } else {
-      print t("Are you sure you want to delete <b>%title</b>?", array("title" => $item->title));
+      print t("Are you sure you want to delete <b>%title</b>?",
+              array("title" => p::clean($item->title)));
     }
 
     $form = item::get_delete_form($item);
@@ -121,9 +122,9 @@ class Quick_Controller extends Controller {
     access::required("edit", $item);
 
     if ($item->is_album()) {
-      $msg = t("Deleted album <b>%title</b>", array("title" => $item->title));
+      $msg = t("Deleted album <b>%title</b>", array("title" => p::clean($item->title)));
     } else {
-      $msg = t("Deleted photo <b>%title</b>", array("title" => $item->title));
+      $msg = t("Deleted photo <b>%title</b>", array("title" => p::clean($item->title)));
     }
 
     $item->delete();