3 files changed, 15 insertions, 5 deletions

diff --git a/modules/gallery/controllers/admin_theme_options.php b/modules/gallery/controllers/admin_theme_options.php
index 38d2b0a8..3258040c 100644
--- a/modules/gallery/controllers/admin_theme_options.php
+++ b/modules/gallery/controllers/admin_theme_options.php
@@ -53,11 +53,17 @@ class Admin_Theme_Options_Controller extends Admin_Controller {
         module::set_var("gallery", "resize_size", $resize_size);
       }
 
-      module::set_var("gallery", "header_text", $form->edit_theme->header_text->value);
-      module::set_var("gallery", "footer_text", $form->edit_theme->footer_text->value);
       module::set_var("gallery", "show_credits", $form->edit_theme->show_credits->value);
-      module::set_var("gallery", "favicon_url", $form->edit_theme->favicon_url->value);
-      module::set_var("gallery", "apple_touch_icon_url", $form->edit_theme->apple_touch_icon_url->value);
+
+      // Sanitize values that get placed directly in HTML output by theme.
+      module::set_var("gallery", "header_text",
+        html::purify($form->edit_theme->header_text->value));
+      module::set_var("gallery", "footer_text",
+        html::purify($form->edit_theme->footer_text->value));
+      module::set_var("gallery", "favicon_url",
+        html::purify($form->edit_theme->favicon_url->value));
+      module::set_var("gallery", "apple_touch_icon_url",
+        html::purify($form->edit_theme->apple_touch_icon_url->value));
 
       module::event("theme_edit_form_completed", $form);
 
diff --git a/modules/gallery/helpers/module.php b/modules/gallery/helpers/module.php
index 1b6c8d1a..0e190e46 100644
--- a/modules/gallery/helpers/module.php
+++ b/modules/gallery/helpers/module.php
@@ -93,6 +93,10 @@ class module_Core {
         $module_name = basename(dirname($file));
         $modules->$module_name =
           new ArrayObject(parse_ini_file($file), ArrayObject::ARRAY_AS_PROPS);
+        foreach ($modules->$module_name as &$value) {
+          $value = html::purify($value);
+        }
+
         $m =& $modules->$module_name;
         $m->installed = module::is_installed($module_name);
         $m->active = module::is_active($module_name);
diff --git a/modules/gallery/views/form_uploadify.html.php b/modules/gallery/views/form_uploadify.html.php
index bba6db73..da2455d4 100644
--- a/modules/gallery/views/form_uploadify.html.php
+++ b/modules/gallery/views/form_uploadify.html.php
@@ -120,7 +120,7 @@
 
 <div class="requires-flash">
   <? if ($suhosin_session_encrypt || (identity::active_user()->admin && !$movies_allowed)): ?>
-  <div class="g-message-block g-info">
+  <div class="g-message-block">
     <? if ($suhosin_session_encrypt): ?>
     <p class="g-error">
       <?= t("Error: your server is configured to use the <a href=\"%encrypt_url\"><code>suhosin.session.encrypt</code></a> setting from <a href=\"%suhosin_url\">Suhosin</a>.  You must disable this setting to upload photos.",