6 files changed, 38 insertions, 14 deletions

diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php
index ca332f67..56075710 100644
--- a/modules/gallery/controllers/movies.php
+++ b/modules/gallery/controllers/movies.php
@@ -67,7 +67,7 @@ class Movies_Controller extends Items_Controller {
 
       log::success("content", "Updated movie", "<a href=\"{$movie->url()}\">view</a>");
       message::success(
-        t("Saved movie %movie_title", array("movie_title" => $movie->title)));
+        t("Saved movie %movie_title", array("movie_title" => html::purify($movie->title))));
 
       if ($form->from_id->value == $movie->id) {
         // Use the new url; it might have changed.
diff --git a/modules/gallery/helpers/gallery_task.php b/modules/gallery/helpers/gallery_task.php
index a79cb2d5..618cf8fd 100644
--- a/modules/gallery/helpers/gallery_task.php
+++ b/modules/gallery/helpers/gallery_task.php
@@ -398,42 +398,62 @@ class gallery_task_Core {
       switch ($state) {
       case self::FIX_STATE_START_MPTT:
         $task->set("ptr", $ptr = 1);
-        $task->set("stack", item::root()->id . ":L");
+        $task->set("stack", item::root()->id . "L1");
         $state = self::FIX_STATE_RUN_MPTT;
         break;
 
       case self::FIX_STATE_RUN_MPTT:
         $ptr = $task->get("ptr");
         $stack = explode(" ", $task->get("stack"));
-        list ($id, $ptr_mode) = explode(":", array_pop($stack));
-        if ($ptr_mode == "L") {
-          $stack[] = "$id:R";
+        preg_match("/([0-9]+)([A-Z])([0-9]+)/", array_pop($stack), $matches);  // e.g. "12345L10"
+        list ( , $id, $ptr_mode, $level) = $matches;  // Skip the 0th entry of matches.
+        switch ($ptr_mode) {
+        case "L":
+          // Albums could be parent nodes.
+          $stack[] = "{$id}R{$level}";
           db::build()
             ->update("items")
             ->set("left_ptr", $ptr++)
             ->where("id", "=", $id)
             ->execute();
 
+          $level++;
           foreach (db::build()
-                   ->select(array("id"))
+                   ->select(array("id", "type"))
                    ->from("items")
                    ->where("parent_id", "=", $id)
-                   ->order_by("left_ptr", "ASC")
+                   ->order_by("left_ptr", "DESC") // DESC since array_pop effectively reverses them
                    ->execute() as $child) {
-            array_push($stack, "{$child->id}:L");
+            $stack[] = ($child->type == "album") ? "{$child->id}L{$level}" : "{$child->id}B{$level}";
           }
-        } else if ($ptr_mode == "R") {
+          $completed++;
+          break;
+        case "B":
+          // Non-albums must be leaf nodes.
           db::build()
             ->update("items")
+            ->set("left_ptr", $ptr++)
             ->set("right_ptr", $ptr++)
+            ->set("level", $level)
             ->set("relative_path_cache", null)
             ->set("relative_url_cache", null)
             ->where("id", "=", $id)
             ->execute();
+          $completed += 2;  // we updated two pointers
+          break;
+        case "R":
+          db::build()
+            ->update("items")
+            ->set("right_ptr", $ptr++)
+            ->set("level", $level)
+            ->set("relative_path_cache", null)
+            ->set("relative_url_cache", null)
+            ->where("id", "=", $id)
+            ->execute();
+          $completed++;
         }
         $task->set("ptr", $ptr);
         $task->set("stack", implode(" ", $stack));
-        $completed++;
 
         if (empty($stack)) {
           $state = self::FIX_STATE_START_DUPE_SLUGS;
diff --git a/modules/gallery/tests/File_Structure_Test.php b/modules/gallery/tests/File_Structure_Test.php
index ce75ea13..f46d9d64 100644
--- a/modules/gallery/tests/File_Structure_Test.php
+++ b/modules/gallery/tests/File_Structure_Test.php
@@ -175,6 +175,11 @@ class File_Structure_Test extends Gallery_Unit_Test_Case {
         // Front controllers
         break;
 
+      case DOCROOT . "lib/uploadify/uploadify.php":
+      case DOCROOT . "lib/uploadify/uploadify.allglyphs.php":
+        // Uploadify wrappers - directly accessible
+        break;
+
       case DOCROOT . "local.php":
         // Special case optional file, not part of the codebase
         break;
diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt
index 2152858a..8504de3a 100644
--- a/modules/gallery/tests/xss_data.txt
+++ b/modules/gallery/tests/xss_data.txt
@@ -177,11 +177,10 @@ modules/gallery/views/error_admin.html.php                   284 DIRTY_ATTR $env
 modules/gallery/views/error_admin.html.php                   285 DIRTY_JS $env_id
 modules/gallery/views/error_admin.html.php                   285 DIRTY    $var
 modules/gallery/views/error_admin.html.php                   286 DIRTY_ATTR $env_id
-modules/gallery/views/error_admin.html.php                   292 DIRTY    $key
 modules/gallery/views/error_admin.html.php                   296 DIRTY    Kohana_Exception::safe_dump($value,$key)
 modules/gallery/views/form_uploadify.html.php                16  DIRTY_JS url::site("uploader/status/_S/_E")
 modules/gallery/views/form_uploadify.html.php                24  DIRTY_JS $flash_minimum_version
-modules/gallery/views/form_uploadify.html.php                28  DIRTY_JS url::file("lib/uploadify/uploadify.swf")
+modules/gallery/views/form_uploadify.html.php                28  DIRTY_JS url::file("lib/uploadify/uploadify.php")
 modules/gallery/views/form_uploadify.html.php                29  DIRTY_JS url::site("uploader/add_photo/{$album->id}")
 modules/gallery/views/form_uploadify.html.php                31  DIRTY_JS implode(";",$extensions)
 modules/gallery/views/form_uploadify.html.php                33  DIRTY_JS url::file("lib/uploadify/cancel.png")
diff --git a/modules/gallery/views/error_admin.html.php b/modules/gallery/views/error_admin.html.php
index cd1bd569..036e2049 100644
--- a/modules/gallery/views/error_admin.html.php
+++ b/modules/gallery/views/error_admin.html.php
@@ -289,7 +289,7 @@
               <tr>
                 <td class="key">
                   <code>
-                    <?= $key?>
+                    <?= html::purify($key) ?>
                   </code>
                 </td>
                 <td class="value">
diff --git a/modules/gallery/views/form_uploadify.html.php b/modules/gallery/views/form_uploadify.html.php
index c13e3418..4963d185 100644
--- a/modules/gallery/views/form_uploadify.html.php
+++ b/modules/gallery/views/form_uploadify.html.php
@@ -25,7 +25,7 @@
       $("#g-uploadify").uploadify({
         width: 298,
         height: 32,
-        uploader: "<?= url::file("lib/uploadify/uploadify.swf") ?>",
+        uploader: "<?= url::file("lib/uploadify/uploadify.php") ?>",
         script: "<?= url::site("uploader/add_photo/{$album->id}") ?>",
         scriptData: <?= json_encode($script_data) ?>,
         fileExt: "<?= implode(";", $extensions) ?>",