1 files changed, 14 insertions, 6 deletions

diff --git a/modules/gallery/libraries/I18n.php b/modules/gallery/libraries/I18n.php
index d0531b9a..c3336052 100644
--- a/modules/gallery/libraries/I18n.php
+++ b/modules/gallery/libraries/I18n.php
@@ -89,6 +89,12 @@ class I18n_Core {
 
   /**
    * Translates a localizable message.
+   *
+   * Security:
+   * The returned string is safe for use in HTML (it contains a safe subset of HTML and
+   * interpolation parameters are converted to HTML entities).
+   * For use in JavaScript, please call ->for_js() on it.
+   *
    * @param $message String|array The message to be translated. E.g. "Hello world"
    *                 or array("one" => "One album", "other" => "%count albums")
    * @param $options array (optional) Options array for key value pairs which are used
@@ -115,7 +121,7 @@ class I18n_Core {
 
     $entry = $this->interpolate($locale, $entry, $values);
 
-    return $entry;
+    return SafeString::of_safe_html($entry);
   }
 
   private function lookup($locale, $message) {
@@ -184,17 +190,19 @@ class I18n_Core {
     return is_array($message);
   }
 
-  private function interpolate($locale, $string, $values) {
+  private function interpolate($locale, $string, $key_values) {
     // TODO: Handle locale specific number formatting.
 
     // Replace x_y before replacing x.
-    krsort($values, SORT_STRING);
+    krsort($key_values, SORT_STRING);
 
     $keys = array();
-    foreach (array_keys($values) as $key) {
+    $values = array();
+    foreach ($key_values as $key => $value) {
       $keys[] = "%$key";
+      $values[] = new SafeString($value);
     }
-    return str_replace($keys, array_values($values), $string);
+    return str_replace($keys, $values, $string);
   }
 
   private function pluralize($locale, $entry, $count) {
@@ -419,4 +427,4 @@ class I18n_Core {
         return $count == 1 ? 'one' : 'other';
     }
   }
-}
\ No newline at end of file
+}