8 files changed, 23 insertions, 20 deletions

diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
index fe8061aa..b5dc6cb5 100644
--- a/modules/user/controllers/admin_users.php
+++ b/modules/user/controllers/admin_users.php
@@ -50,7 +50,7 @@ class Admin_Users_Controller extends Controller {
       }
 
       $user->save();
-      message::success(t("Created user %user_name", array("user_name" => $user->name)));
+      message::success(t("Created user %user_name", array("user_name" => p::clean($user->name))));
       print json_encode(array("result" => "success"));
     } else {
       print json_encode(array("result" => "error",
@@ -83,7 +83,7 @@ class Admin_Users_Controller extends Controller {
                               "form" => $form->__toString()));
     }
 
-    $message = t("Deleted user %user_name", array("user_name" => $name));
+    $message = t("Deleted user %user_name", array("user_name" => p::clean($name)));
     log::success("user", $message);
     message::success($message);
     print json_encode(array("result" => "success"));
@@ -139,7 +139,7 @@ class Admin_Users_Controller extends Controller {
       }
       $user->save();
 
-      message::success(t("Changed user %user_name", array("user_name" => $user->name)));
+      message::success(t("Changed user %user_name", array("user_name" => p::clean($user->name))));
       print json_encode(array("result" => "success"));
     } else {
       print json_encode(array("result" => "error",
@@ -200,7 +200,8 @@ class Admin_Users_Controller extends Controller {
     if ($valid) {
       $group = group::create($new_name);
       $group->save();
-      message::success(t("Created group %group_name", array("group_name" => $group->name)));
+      message::success(
+        t("Created group %group_name", array("group_name" => p::clean($group->name))));
       print json_encode(array("result" => "success"));
     } else {
       print json_encode(array("result" => "error",
@@ -229,7 +230,7 @@ class Admin_Users_Controller extends Controller {
                               "form" => $form->__toString()));
     }
 
-    $message = t("Deleted group %group_name", array("group_name" => $name));
+    $message = t("Deleted group %group_name", array("group_name" => p::clean($name)));
     log::success("group", $message);
     message::success($message);
     print json_encode(array("result" => "success"));
@@ -266,10 +267,12 @@ class Admin_Users_Controller extends Controller {
     if ($valid) {
       $group->name = $form->edit_group->inputs["name"]->value;
       $group->save();
-      message::success(t("Changed group %group_name", array("group_name" => $group->name)));
+      message::success(
+        t("Changed group %group_name", array("group_name" => p::clean($group->name))));
       print json_encode(array("result" => "success"));
     } else {
-      message::error(t("Failed to change group %group_name", array("group_name" => $group->name)));
+      message::error(
+        t("Failed to change group %group_name", array("group_name" => p::clean($group->name))));
       print json_encode(array("result" => "error",
                               "form" => $form->__toString()));
     }
diff --git a/modules/user/controllers/login.php b/modules/user/controllers/login.php
index 54a7905e..4d901051 100644
--- a/modules/user/controllers/login.php
+++ b/modules/user/controllers/login.php
@@ -62,7 +62,8 @@ class Login_Controller extends Controller {
       if (!$user->loaded || !user::is_correct_password($user, $form->login->password->value)) {
         log::warning(
           "user",
-          t("Failed login for %name", array("name" => $form->login->inputs["name"]->value)));
+          t("Failed login for %name",
+            array("name" => p::clean($form->login->inputs["name"]->value))));
         $form->login->inputs["name"]->add_error("invalid_login", 1);
         $valid = false;
       }
@@ -70,7 +71,7 @@ class Login_Controller extends Controller {
 
     if ($valid) {
       user::login($user);
-      log::info("user", t("User %name logged in", array("name" => $user->name)));
+      log::info("user", t("User %name logged in", array("name" => p::clean($user->name))));
     }
 
     // Either way, regenerate the session id to avoid session trapping
diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php
index a541ed9b..63971789 100644
--- a/modules/user/controllers/logout.php
+++ b/modules/user/controllers/logout.php
@@ -23,8 +23,8 @@ class Logout_Controller extends Controller {
 
     $user = user::active();
     user::logout();
-    log::info("user", t("User %name logged out", array("name" => $user->name)),
-              html::anchor("user/$user->id", $user->name));
+    log::info("user", t("User %name logged out", array("name" => p::clean($user->name))),
+              html::anchor("user/$user->id", p::clean($user->name)));
     if ($this->input->get("continue")) {
       $item = url::get_item_from_uri($this->input->get("continue"));
       if (access::can("view", $item)) {
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index 2dde11b8..ed3b9736 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -72,7 +72,9 @@ class Password_Controller extends Controller {
         ->message($message->render())
         ->send();
 
-      log::success("user", "Password reset email sent for user $user->name");
+      log::success(
+        "user",
+        t("Password reset email sent for user %name", array("name" => p::clean($user->name)));
     } else {
       // Don't include the username here until you're sure that it's XSS safe
       log::warning(
diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php
index 9e9d4ca1..a59588f8 100644
--- a/modules/user/helpers/user.php
+++ b/modules/user/helpers/user.php
@@ -82,7 +82,7 @@ class user_Core {
     $locales = locale::installed();
     if (count($locales) > 1) {
       // Put "none" at the first position in the array
-      $locales = array_merge(array("" => t("« none »")), $locales);
+      $locales = array_merge(array("" => t("« none »")), $locales);
       $selected_locale = ($user && $user->locale) ? $user->locale : "";
       $form->dropdown("locale")
         ->label(t("Language Preference"))
diff --git a/modules/user/helpers/user_theme.php b/modules/user/helpers/user_theme.php
index 2a4a343a..ad9d4c63 100644
--- a/modules/user/helpers/user_theme.php
+++ b/modules/user/helpers/user_theme.php
@@ -25,11 +25,8 @@ class user_theme_Core {
   }
 
   static function admin_head($theme) {
-    $head = array();
     if (strpos(Router::$current_uri, "admin/users") !== false) {
-      $head[] = html::script("lib/gallery.panel.js");
+      $theme->script("lib/gallery.panel.js");
     }
-
-    return implode("\n", $head);
   }
 }
diff --git a/modules/user/module.info b/modules/user/module.info
index 2dba517d..8a9af407 100644
--- a/modules/user/module.info
+++ b/modules/user/module.info
@@ -1,3 +1,3 @@
-name = Users and Groups
-description = Provides user and group management
+name = "Users and Groups"
+description = "Provides user and group management"
 version = 1
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 542b8b8b..b469f82d 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -66,7 +66,7 @@
       <? foreach ($users as $i => $user): ?>
       <tr id="gUser-<?= $user->id ?>" class="<?= text::alternate("gOddRow", "gEvenRow") ?> user <?= $user->admin ? "admin" : "" ?>">
         <td id="user-<?= $user->id ?>" class="core-info gDraggable">
-          <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>"
+          <img src="<?= $user->avatar_url(20, $theme->theme_url("images/avatar.jpg", true)) ?>"
                title="<?= t("Drag user onto group below to add as a new member") ?>"
                alt="<?= p::clean($user->name) ?>"
                width="20"