4 files changed, 18 insertions, 12 deletions

diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
index fe8061aa..b5dc6cb5 100644
--- a/modules/user/controllers/admin_users.php
+++ b/modules/user/controllers/admin_users.php
@@ -50,7 +50,7 @@ class Admin_Users_Controller extends Controller {
       }
 
       $user->save();
-      message::success(t("Created user %user_name", array("user_name" => $user->name)));
+      message::success(t("Created user %user_name", array("user_name" => p::clean($user->name))));
       print json_encode(array("result" => "success"));
     } else {
       print json_encode(array("result" => "error",
@@ -83,7 +83,7 @@ class Admin_Users_Controller extends Controller {
                               "form" => $form->__toString()));
     }
 
-    $message = t("Deleted user %user_name", array("user_name" => $name));
+    $message = t("Deleted user %user_name", array("user_name" => p::clean($name)));
     log::success("user", $message);
     message::success($message);
     print json_encode(array("result" => "success"));
@@ -139,7 +139,7 @@ class Admin_Users_Controller extends Controller {
       }
       $user->save();
 
-      message::success(t("Changed user %user_name", array("user_name" => $user->name)));
+      message::success(t("Changed user %user_name", array("user_name" => p::clean($user->name))));
       print json_encode(array("result" => "success"));
     } else {
       print json_encode(array("result" => "error",
@@ -200,7 +200,8 @@ class Admin_Users_Controller extends Controller {
     if ($valid) {
       $group = group::create($new_name);
       $group->save();
-      message::success(t("Created group %group_name", array("group_name" => $group->name)));
+      message::success(
+        t("Created group %group_name", array("group_name" => p::clean($group->name))));
       print json_encode(array("result" => "success"));
     } else {
       print json_encode(array("result" => "error",
@@ -229,7 +230,7 @@ class Admin_Users_Controller extends Controller {
                               "form" => $form->__toString()));
     }
 
-    $message = t("Deleted group %group_name", array("group_name" => $name));
+    $message = t("Deleted group %group_name", array("group_name" => p::clean($name)));
     log::success("group", $message);
     message::success($message);
     print json_encode(array("result" => "success"));
@@ -266,10 +267,12 @@ class Admin_Users_Controller extends Controller {
     if ($valid) {
       $group->name = $form->edit_group->inputs["name"]->value;
       $group->save();
-      message::success(t("Changed group %group_name", array("group_name" => $group->name)));
+      message::success(
+        t("Changed group %group_name", array("group_name" => p::clean($group->name))));
       print json_encode(array("result" => "success"));
     } else {
-      message::error(t("Failed to change group %group_name", array("group_name" => $group->name)));
+      message::error(
+        t("Failed to change group %group_name", array("group_name" => p::clean($group->name))));
       print json_encode(array("result" => "error",
                               "form" => $form->__toString()));
     }
diff --git a/modules/user/controllers/login.php b/modules/user/controllers/login.php
index 54a7905e..4d901051 100644
--- a/modules/user/controllers/login.php
+++ b/modules/user/controllers/login.php
@@ -62,7 +62,8 @@ class Login_Controller extends Controller {
       if (!$user->loaded || !user::is_correct_password($user, $form->login->password->value)) {
         log::warning(
           "user",
-          t("Failed login for %name", array("name" => $form->login->inputs["name"]->value)));
+          t("Failed login for %name",
+            array("name" => p::clean($form->login->inputs["name"]->value))));
         $form->login->inputs["name"]->add_error("invalid_login", 1);
         $valid = false;
       }
@@ -70,7 +71,7 @@ class Login_Controller extends Controller {
 
     if ($valid) {
       user::login($user);
-      log::info("user", t("User %name logged in", array("name" => $user->name)));
+      log::info("user", t("User %name logged in", array("name" => p::clean($user->name))));
     }
 
     // Either way, regenerate the session id to avoid session trapping
diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php
index a541ed9b..63971789 100644
--- a/modules/user/controllers/logout.php
+++ b/modules/user/controllers/logout.php
@@ -23,8 +23,8 @@ class Logout_Controller extends Controller {
 
     $user = user::active();
     user::logout();
-    log::info("user", t("User %name logged out", array("name" => $user->name)),
-              html::anchor("user/$user->id", $user->name));
+    log::info("user", t("User %name logged out", array("name" => p::clean($user->name))),
+              html::anchor("user/$user->id", p::clean($user->name)));
     if ($this->input->get("continue")) {
       $item = url::get_item_from_uri($this->input->get("continue"));
       if (access::can("view", $item)) {
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index 2dde11b8..ed3b9736 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -72,7 +72,9 @@ class Password_Controller extends Controller {
         ->message($message->render())
         ->send();
 
-      log::success("user", "Password reset email sent for user $user->name");
+      log::success(
+        "user",
+        t("Password reset email sent for user %name", array("name" => p::clean($user->name)));
     } else {
       // Don't include the username here until you're sure that it's XSS safe
       log::warning(