diff options
Diffstat (limited to 'modules')
23 files changed, 104 insertions, 69 deletions
diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php index dc3975e0..2afa5bf8 100644 --- a/modules/comment/views/admin_block_recent_comments.html.php +++ b/modules/comment/views/admin_block_recent_comments.html.php @@ -4,7 +4,7 @@ <li class="<?= ($i % 2 == 0) ? "gEvenRow" : "gOddRow" ?>"> <img src="<?= $comment->author()->avatar_url(32, $theme->url("images/avatar.jpg", true)) ?>" class="gAvatar" - alt="<?= html::clean($comment->author_name()) ?>" + alt="<?= html::clean_attribute($comment->author_name()) ?>" width="32" height="32" /> <?= gallery::date_time($comment->created) ?> diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php index 588c3ebc..f5970ae1 100644 --- a/modules/comment/views/admin_comments.html.php +++ b/modules/comment/views/admin_comments.html.php @@ -122,7 +122,7 @@ <a href="<?= $item->url() ?>"> <? if ($item->has_thumb()): ?> <img src="<?= $item->thumb_url() ?>" - alt="<?= html::purify($item->title) ?>" + alt="<?= html::purify($item->title)->for_html_attr() ?>" <?= photo::img_dimensions($item->thumb_width, $item->thumb_height, 75) ?> /> <? else: ?> diff --git a/modules/comment/views/comment.html.php b/modules/comment/views/comment.html.php index 1d0786cb..ce4e197d 100644 --- a/modules/comment/views/comment.html.php +++ b/modules/comment/views/comment.html.php @@ -4,7 +4,7 @@ <a href="#"> <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>" class="gAvatar" - alt="<?= html::clean($comment->author_name()) ?>" + alt="<?= html::clean_attribute($comment->author_name()) ?>" width="40" height="40" /> </a> diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php index 1e45c946..b7ebdf3a 100644 --- a/modules/comment/views/comments.html.php +++ b/modules/comment/views/comments.html.php @@ -18,7 +18,7 @@ <a href="#"> <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>" class="gAvatar" - alt="<?= html::clean($comment->author_name()) ?>" + alt="<?= html::clean_attribute($comment->author_name()) ?>" width="40" height="40" /> </a> diff --git a/modules/exif/views/exif_sidebar.html.php b/modules/exif/views/exif_sidebar.html.php index ee528613..60c0e1d4 100644 --- a/modules/exif/views/exif_sidebar.html.php +++ b/modules/exif/views/exif_sidebar.html.php @@ -1,5 +1,5 @@ <?php defined("SYSPATH") or die("No direct script access.") ?> -<a id="gExifDataLink" href="<?= url::site("exif/show/{$item->id}") ?>" title="<?= t("Photo Details") ?>" +<a id="gExifDataLink" href="<?= url::site("exif/show/{$item->id}") ?>" title="<?= t("Photo Details")->for_html_attr() ?>" class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"> <span class="ui-icon ui-icon-info"></span> <?= t("View more information") ?> diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index 05fc052a..7a6589bd 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -34,6 +34,7 @@ class Xss_Security_Test extends Unit_Test_Case { $in_script_block = false; $inline_html = ""; $in_attribute_js_context = false; + $in_attribute = false; $href_attribute_start = false; $preceded_by_quote = false; @@ -87,23 +88,31 @@ class Xss_Security_Test extends Unit_Test_Case { } } - $href_attribute_start = preg_match('{\bhref\s*=\s*[\'"]?\s*$}i', $inline_html); - $preceded_by_quote = preg_match('{[\'"]\s*$}i', $inline_html); $pos = false; - if ($in_attribute_js_context && ($pos = strpos($inline_html, $delimiter)) !== false) { + if (($in_attribute || $in_attribute_js_context) && + ($pos = strpos($inline_html, $delimiter)) !== false) { $in_attribute_js_context = false; + $in_attribute = false; + $href_attribute_start = false; } - if (!$in_attribute_js_context) { + if (!$in_attribute_js_context || !$in_attribute) { $pos = ($pos === false) ? 0 : $pos; if (preg_match('{\bhref\s*=\s*(")javascript:[^"]*$}i', $inline_html, $matches, 0, $pos) || preg_match("{\bhref\s*=\s*(')javascript:[^']*$}i", $inline_html, $matches, 0, $pos) || preg_match("{\bon[a-z]+\s*=\s*(')[^']*$}i", $inline_html, $matches, 0, $pos) || preg_match('{\bon[a-z]+\s*=\s*(")[^"]*$}i', $inline_html, $matches, 0, $pos)) { $in_attribute_js_context = true; + $in_attribute = true; $delimiter = $matches[1]; $inline_html = ""; + } else if (preg_match('{\b([a-z]+)\s*=\s*(")([^"]*)$}i', $inline_html, $matches, 0, $pos) || + preg_match("{\b([a-z]+)\s*=\s*(')([^']*)$}i", $inline_html, $matches, 0, $pos)) { + $in_attribute = true; + $delimiter = $matches[2]; + $inline_html = ""; + $href_attribute_start = strtolower($matches[1]) == "href" && empty($matches[3]); } } @@ -117,7 +126,7 @@ class Xss_Security_Test extends Unit_Test_Case { // No need for a stack here - assume < ? = cannot be nested. $frame = self::_create_frame($token, $in_script_block, $href_attribute_start, $in_attribute_js_context, - $preceded_by_quote); + $in_attribute, $preceded_by_quote); $href_attribute_start = false; } else if ($frame && $token[0] == T_CLOSE_TAG) { // Store the < ? = ... ? > block that just ended here. @@ -207,6 +216,7 @@ class Xss_Security_Test extends Unit_Test_Case { self::_token_matches("(", $tokens, $token_number + 3)) { $frame->is_safe_html(true); $frame->is_safe_href_attr(true); + $frame->is_safe_attr(true); $method = $tokens[$token_number + 2][1]; $frame->expr_append("::$method("); @@ -233,6 +243,9 @@ class Xss_Security_Test extends Unit_Test_Case { } else { $frame->is_safe_html(true); } + if ("clean_attribute" == $method) { + $frame->is_safe_attr(true); + } } } } else if ($frame && $token[0] == T_OBJECT_OPERATOR) { @@ -253,6 +266,9 @@ class Xss_Security_Test extends Unit_Test_Case { } else { $frame->is_safe_html(true); } + if ("for_html_attr" == $method) { + $frame->is_safe_attr(true); + } } } else if ($frame) { $frame->expr_append($token[1]); @@ -305,6 +321,11 @@ class Xss_Security_Test extends Unit_Test_Case { if ($frame->is_safe_href_attr()) { $state = "CLEAN"; } + } else if ($frame->in_attribute()) { + $state = "DIRTY_ATTR"; + if ($frame->is_safe_attr()) { + $state = "CLEAN"; + } } else { if ($frame->is_safe_html()) { $state = "CLEAN"; @@ -332,10 +353,10 @@ class Xss_Security_Test extends Unit_Test_Case { private static function _create_frame($token, $in_script_block, $href_attribute_start, $in_attribute_js_context, - $preceded_by_quote) { + $in_attribute, $preceded_by_quote) { return new Xss_Security_Test_Frame($token[2], $in_script_block, $href_attribute_start, $in_attribute_js_context, - $preceded_by_quote); + $in_attribute, $preceded_by_quote); } private static function _token_matches($expected_token, &$tokens, $token_number) { @@ -366,16 +387,19 @@ class Xss_Security_Test_Frame { private $_in_href_attribute = false; private $_is_safe_href_attr = false; private $_in_attribute_js_context = false; - private $_preceded_by_quote; + private $_in_attribute = false; + private $_preceded_by_quote = false; + private $_is_safe_attr = false; private $_line; function __construct($line_number, $in_script_block, $href_attribute_start, $in_attribute_js_context, - $preceded_by_quote) { + $in_attribute, $preceded_by_quote) { $this->_line = $line_number; $this->_in_script_block = $in_script_block; $this->_in_href_attribute = $href_attribute_start; $this->_in_attribute_js_context = $in_attribute_js_context; + $this->_in_attribute = $in_attribute; $this->_preceded_by_quote = $preceded_by_quote; } @@ -395,6 +419,10 @@ class Xss_Security_Test_Frame { return $this->_in_href_attribute; } + function in_attribute() { + return $this->_in_attribute; + } + function in_attribute_js_context() { return $this->_in_attribute_js_context; } @@ -413,6 +441,13 @@ class Xss_Security_Test_Frame { return $this->_is_safe_href_attr; } + function is_safe_attr($new_val=NULL) { + if ($new_val !== NULL) { + $this->_is_safe_attr = (bool) $new_val; + } + return $this->_is_safe_attr; + } + function is_safe_js($new_val=NULL) { if ($new_val !== NULL) { $this->_is_safe_js = (bool) $new_val; diff --git a/modules/gallery/views/admin_advanced_settings.html.php b/modules/gallery/views/admin_advanced_settings.html.php index 4235e8f8..c3595da5 100644 --- a/modules/gallery/views/admin_advanced_settings.html.php +++ b/modules/gallery/views/admin_advanced_settings.html.php @@ -24,7 +24,7 @@ <td> <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . html::clean($var->name)) ?>" class="gDialogLink" - title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name)) ?>"> + title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name))->for_html_attr() ?>"> <? if ($var->value): ?> <?= html::clean($var->value) ?> <? else: ?> diff --git a/modules/gallery/views/admin_block_photo_stream.html.php b/modules/gallery/views/admin_block_photo_stream.html.php index a50836ad..1b9d8ff5 100644 --- a/modules/gallery/views/admin_block_photo_stream.html.php +++ b/modules/gallery/views/admin_block_photo_stream.html.php @@ -2,9 +2,9 @@ <ul> <? foreach ($photos as $photo): ?> <li class="gItem gPhoto"> - <a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::clean($photo->title) ?>"> + <a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::purify($photo->title)->for_html_attr() ?>"> <img <?= photo::img_dimensions($photo->width, $photo->height, 72) ?> - src="<?= $photo->thumb_url() ?>" alt="<?= html::clean($photo->title) ?>" /> + src="<?= $photo->thumb_url() ?>" alt="<?= html::purify($photo->title)->for_html_attr() ?>" /> </a> </li> <? endforeach ?> diff --git a/modules/gallery/views/admin_modules.html.php b/modules/gallery/views/admin_modules.html.php index 168e20d0..9cf03cb3 100644 --- a/modules/gallery/views/admin_modules.html.php +++ b/modules/gallery/views/admin_modules.html.php @@ -27,6 +27,6 @@ <? $i++ ?> <? endforeach ?> </table> - <input type="submit" value="<?= t("Update") ?>"/> + <input type="submit" value="<?= t("Update")->for_html_attr() ?>"/> </form> </div> diff --git a/modules/gallery/views/admin_themes.html.php b/modules/gallery/views/admin_themes.html.php index dc13a6a0..0aac4717 100644 --- a/modules/gallery/views/admin_themes.html.php +++ b/modules/gallery/views/admin_themes.html.php @@ -16,7 +16,7 @@ <h2> <?= t("Gallery theme") ?> </h2> <div class="gBlock gSelected"> <img src="<?= url::file("themes/{$site}/thumbnail.png") ?>" - alt="<?= $themes[$site]->name ?>" /> + alt="<?= html::clean_attribute($themes[$site]->name) ?>" /> <h3> <?= $themes[$site]->name ?> </h3> <p> <?= $themes[$site]->description ?> @@ -30,9 +30,9 @@ <? if (!$info->site) continue ?> <? if ($id == $site) continue ?> <div class="gBlock"> - <a href="<?= url::site("admin/themes/preview/site/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name)) ?>"> + <a href="<?= url::site("admin/themes/preview/site/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name))->for_html_attr() ?>"> <img src="<?= url::file("themes/{$id}/thumbnail.png") ?>" - alt="<?= $info->name ?>" /> + alt="<?= html::clean_attribute($info->name) ?>" /> <h3> <?= $info->name ?> </h3> <p> <?= $info->description ?> @@ -54,7 +54,7 @@ <h2> <?= t("Admin theme") ?> </h2> <div class="gBlock gSelected"> <img src="<?= url::file("themes/{$admin}/thumbnail.png") ?>" - alt="<?= $themes[$admin]->name ?>" /> + alt="<?= html::clean_attribute($themes[$admin]->name) ?>" /> <h3> <?= $themes[$admin]->name ?> </h3> <p> <?= $themes[$admin]->description ?> @@ -68,9 +68,9 @@ <? if (!$info->admin) continue ?> <? if ($id == $admin) continue ?> <div class="gBlock"> - <a href="<?= url::site("admin/themes/preview/admin/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name)) ?>"> + <a href="<?= url::site("admin/themes/preview/admin/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name))->for_html_attr() ?>"> <img src="<?= url::file("themes/{$id}/thumbnail.png") ?>" - alt="<?= $info->name ?>" /> + alt="<?= html::clean_attribute($info->name) ?>" /> <h3> <?= $info->name ?> </h3> <p> <?= $info->description ?> diff --git a/modules/gallery/views/after_install.html.php b/modules/gallery/views/after_install.html.php index b77a1707..897946a2 100644 --- a/modules/gallery/views/after_install.html.php +++ b/modules/gallery/views/after_install.html.php @@ -13,7 +13,7 @@ <p> <a href="<?= url::site("form/edit/users/{$user->id}") ?>" - title="<?= t("Edit Your Profile") ?>" + title="<?= t("Edit Your Profile")->for_html_attr() ?>" id="gAfterInstallChangePasswordLink" class="gButtonLink ui-state-default ui-corners-all"><?= t("Change Password Now") ?></a> <script> $("#gAfterInstallChangePasswordLink").gallery_dialog(); diff --git a/modules/gallery/views/after_install_loader.html.php b/modules/gallery/views/after_install_loader.html.php index 54484963..c2e3e1d9 100644 --- a/modules/gallery/views/after_install_loader.html.php +++ b/modules/gallery/views/after_install_loader.html.php @@ -1,6 +1,6 @@ <?php defined("SYSPATH") or die("No direct script access.") ?> <span id="gAfterInstall" - title="<?= t("Welcome to Gallery 3") ?>" + title="<?= t("Welcome to Gallery 3")->for_html_attr() ?>" href="<?= url::site("after_install") ?>"/> <script type="text/javascript"> $(document).ready(function(){$("#gAfterInstall").gallery_dialog({immediate: true});}); diff --git a/modules/gallery/views/l10n_client.html.php b/modules/gallery/views/l10n_client.html.php index c68a63c8..3a43f7d3 100644 --- a/modules/gallery/views/l10n_client.html.php +++ b/modules/gallery/views/l10n_client.html.php @@ -66,7 +66,7 @@ (<a href="http://www.unicode.org/cldr/data/charts/supplemental/language_plural_rules.html"><?= t("learn more about plural forms") ?></a>) <?= form::textarea("l10n-edit-plural-translation-other", "", ' rows="2"') ?> </div> - <input type="submit" name="l10n-edit-save" value="<?= t("Save translation") ?>"/> + <input type="submit" name="l10n-edit-save" value="<?= t("Save translation")->for_html_attr() ?>"/> <a href="javascript: Gallery.l10nClient.copySourceText()" class="gButtonLink ui-state-default ui-corner-all"><?= t("Copy source text") ?></a> </form> diff --git a/modules/gallery/views/move_browse.html.php b/modules/gallery/views/move_browse.html.php index 4f69c0e9..99728ecc 100644 --- a/modules/gallery/views/move_browse.html.php +++ b/modules/gallery/views/move_browse.html.php @@ -42,6 +42,6 @@ <form method="post" action="<?= url::site("move/save/$source->id") ?>"> <?= access::csrf_form_field() ?> <input type="hidden" name="target_id" value="" /> - <input type="submit" id="gMoveButton" value="<?= t("Move") ?>" disabled="disabled"/> + <input type="submit" id="gMoveButton" value="<?= t("Move")->for_html_attr() ?>" disabled="disabled"/> </form> </div> diff --git a/modules/gallery/views/permissions_form.html.php b/modules/gallery/views/permissions_form.html.php index e6b217c5..a0bb35f2 100644 --- a/modules/gallery/views/permissions_form.html.php +++ b/modules/gallery/views/permissions_form.html.php @@ -20,9 +20,9 @@ <? if ($lock): ?> <td class="gDenied"> - <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" title="<?= t('denied and locked through parent album') ?>" alt="<?= t('denied icon') ?>" /> - <a href="javascript:show(<?= $lock->id ?>)" title="<?= t('click to go to parent album') ?>"> - <img src="<?= url::file('themes/default/images/ico-lock.png') ?>" alt="<?= t('locked icon') ?>" /> + <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" title="<?= t('denied and locked through parent album')->for_html_attr() ?>" alt="<?= t('denied icon')->for_html_attr() ?>" /> + <a href="javascript:show(<?= $lock->id ?>)" title="<?= t('click to go to parent album')->for_html_attr() ?>"> + <img src="<?= url::file('themes/default/images/ico-lock.png') ?>" alt="<?= t('locked icon')->for_html_attr() ?>" /> </a> </td> <? else: ?> @@ -30,23 +30,23 @@ <? if ($allowed): ?> <td class="gAllowed"> <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)" - title="<?= t('allowed through parent album, click to allow explicitly') ?>"> - <img src="<?= url::file('themes/default/images/ico-success-pale.png') ?>" alt="<?= t('passive allowed icon') ?>" /> + title="<?= t('allowed through parent album, click to allow explicitly')->for_html_attr() ?>"> + <img src="<?= url::file('themes/default/images/ico-success-pale.png') ?>" alt="<?= t('passive allowed icon')->for_html_attr() ?>" /> </a> <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)" - title="<?= t('click to deny') ?>"> - <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon') ?>" /> + title="<?= t('click to deny')->for_html_attr() ?>"> + <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon')->for_html_attr() ?>" /> </a> </td> <? else: ?> <td class="gDenied"> <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)" - title="<?= t('click to allow') ?>"> - <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon') ?>" /> + title="<?= t('click to allow')->for_html_attr() ?>"> + <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon')->for_html_attr() ?>" /> </a> <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)" - title="<?= t('denied through parent album, click to deny explicitly') ?>"> - <img src="<?= url::file('themes/default/images/ico-denied-pale.png') ?>" alt="<?= t('passive denied icon') ?>" /> + title="<?= t('denied through parent album, click to deny explicitly')->for_html_attr() ?>"> + <img src="<?= url::file('themes/default/images/ico-denied-pale.png') ?>" alt="<?= t('passive denied icon')->for_html_attr() ?>" /> </a> </td> <? endif ?> @@ -54,31 +54,31 @@ <? elseif ($intent === access::DENY): ?> <td class="gDenied"> <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)" - title="<?= t('click to allow') ?>"> - <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon') ?>" /> + title="<?= t('click to allow')->for_html_attr() ?>"> + <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon')->for_html_attr() ?>" /> </a> <? if ($item->id == 1): ?> - <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon') ?>" title="<?= t('denied') ?>"/> + <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon')->for_html_attr() ?>" title="<?= t('denied')->for_html_attr() ?>"/> <? else: ?> <a href="javascript:set('reset',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)" - title="<?= t('denied, click to reset') ?>"> - <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon') ?>" /> + title="<?= t('denied, click to reset')->for_html_attr() ?>"> + <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon')->for_html_attr() ?>" /> </a> <? endif ?> </td> <? elseif ($intent === access::ALLOW): ?> <td class="gAllowed"> <? if ($item->id == 1): ?> - <img src="<?= url::file('themes/default/images/ico-success.png') ?>" title="<?= t("allowed") ?>" alt="<?= t('allowed icon') ?>" /> + <img src="<?= url::file('themes/default/images/ico-success.png') ?>" title="<?= t("allowed")->for_html_attr() ?>" alt="<?= t('allowed icon')->for_html_attr() ?>" /> <? else: ?> <a href="javascript:set('reset',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)" - title="<?= t('allowed, click to reset') ?>"> - <img src="<?= url::file('themes/default/images/ico-success.png') ?>" alt="<?= t('allowed icon') ?>" /> + title="<?= t('allowed, click to reset')->for_html_attr() ?>"> + <img src="<?= url::file('themes/default/images/ico-success.png') ?>" alt="<?= t('allowed icon')->for_html_attr() ?>" /> </a> <? endif ?> <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)" - title="<?= t('click to deny') ?>"> - <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon') ?>" /> + title="<?= t('click to deny')->for_html_attr() ?>"> + <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon')->for_html_attr() ?>" /> </a> </td> <? endif ?> diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php index 9cf554ec..7f8a96df 100644 --- a/modules/gallery/views/simple_uploader.html.php +++ b/modules/gallery/views/simple_uploader.html.php @@ -35,7 +35,7 @@ <span id="gUploadQueueInfo"> <?= t("Upload Queue") ?> </span> - <a id="gUploadCancel" title="<?= t("Cancel all the pending uploads") ?>" onclick="swfu.cancelQueue();"><?= t("cancel") ?></a> + <a id="gUploadCancel" title="<?= t("Cancel all the pending uploads")->for_html_attr() ?>" onclick="swfu.cancelQueue();"><?= t("cancel") ?></a> </p> <div id="gAddPhotosCanvas" style="text-align: center;"> <div id="gAddPhotosQueue"></div> diff --git a/modules/rss/module.info b/modules/rss/module.info index 81ee7848..48375da1 100644 --- a/modules/rss/module.info +++ b/modules/rss/module.info @@ -1,3 +1,3 @@ name = "RSS" -description = "Provide a RSS feeds" +description = "Provides RSS feeds" version = 1 diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php index 731703c7..3612cbc0 100644 --- a/modules/rss/views/feed.mrss.php +++ b/modules/rss/views/feed.mrss.php @@ -22,25 +22,25 @@ <lastBuildDate><?= $pub_date ?></lastBuildDate> <? foreach ($feed->children as $child): ?> <item> - <title><?= html::clean($child->title) ?></title> + <title><?= html::purify($child->title) ?></title> <link><?= url::abs_site("{$child->type}s/{$child->id}") ?></link> <guid isPermaLink="true"><?= url::abs_site("{$child->type}s/{$child->id}") ?></guid> <pubDate><?= date("D, d M Y H:i:s T", $child->created); ?></pubDate> <content:encoded> <![CDATA[ - <span><?= html::clean($child->description) ?></span> + <span><?= html::purify($child->description) ?></span> <p> <? if ($child->type == "photo" || $child->type == "album"): ?> <img alt="" src="<?= $child->resize_url(true) ?>" - title="<?= html::clean($child->title) ?>" + title="<?= html::purify($child->title)->for_html_attr() ?>" height="<?= $child->resize_height ?>" width="<?= $child->resize_width ?>" /><br /> <? else: ?> <a href="<?= url::abs_site("{$child->type}s/{$child->id}") ?>"> <img alt="" src="<?= $child->thumb_url(true) ?>" - title="<?= html::clean($child->title) ?>" + title="<?= html::purify($child->title)->for_html_attr() ?>" height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" /></a><br /> <? endif ?> - <?= html::clean($child->description) ?> + <?= html::purify($child->description) ?> </p> ]]> </content:encoded> diff --git a/modules/search/views/search_link.html.php b/modules/search/views/search_link.html.php index 3f1bca91..51bb4e14 100644 --- a/modules/search/views/search_link.html.php +++ b/modules/search/views/search_link.html.php @@ -6,7 +6,7 @@ <input type="text" name="q" id="gSearch"/> </li> <li> - <input type="submit" value="<?= t("Go") ?>" /> + <input type="submit" value="<?= t("Go")->for_html_attr() ?>" /> </li> </ul> </form> diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php index 9455f9d9..c065e4b1 100644 --- a/modules/user/views/admin_users.html.php +++ b/modules/user/views/admin_users.html.php @@ -44,7 +44,7 @@ <div class="gBlock"> <a href="<?= url::site("admin/users/add_user_form") ?>" class="gDialogLink gButtonLink right ui-icon-left ui-state-default ui-corner-all" - title="<?= t("Create a new user") ?>"> + title="<?= t("Create a new user")->for_html_attr() ?>"> <span class="ui-icon ui-icon-circle-plus"></span> <?= t("Add a new user") ?> </a> @@ -67,8 +67,8 @@ <tr id="gUser-<?= $user->id ?>" class="<?= text::alternate("gOddRow", "gEvenRow") ?> user <?= $user->admin ? "admin" : "" ?>"> <td id="user-<?= $user->id ?>" class="core-info gDraggable"> <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>" - title="<?= t("Drag user onto group below to add as a new member") ?>" - alt="<?= html::clean($user->name) ?>" + title="<?= t("Drag user onto group below to add as a new member")->for_html_attr() ?>" + alt="<?= html::clean_attribute($user->name) ?>" width="20" height="20" /> <?= html::clean($user->name) ?> @@ -92,7 +92,7 @@ class="gDialogLink gButtonLink ui-state-default ui-corner-all ui-icon-left"> <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a> <? else: ?> - <span title="<?= t("This user cannot be deleted") ?>" + <span title="<?= t("This user cannot be deleted")->for_html_attr() ?>" class="gButtonLink ui-state-disabled ui-corner-all ui-icon-left"> <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></span> <? endif ?> @@ -106,7 +106,7 @@ <div id="gGroupAdmin" class="gBlock"> <a href="<?= url::site("admin/users/add_group_form") ?>" class="gDialogLink gButtonLink right ui-icon-left ui-state-default ui-corner-all" - title="<?= t("Create a new group") ?>"> + title="<?= t("Create a new group")->for_html_attr() ?>"> <span class="ui-icon ui-icon-circle-plus"></span> <?= t("Add a new group") ?> </a> diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php index 8418ebc9..476e0817 100644 --- a/modules/user/views/admin_users_group.html.php +++ b/modules/user/views/admin_users_group.html.php @@ -3,11 +3,11 @@ <?= html::clean($group->name) ?> <? if (!$group->special): ?> <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>" - title="<?= t("Delete the %name group", array("name" => $group->name)) ?>" + title="<?= t("Delete the %name group", array("name" => $group->name))->for_html_attr() ?>" class="gDialogLink gButtonLink ui-state-default ui-corner-all"> <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a> <? else: ?> - <a title="<?= t("This default group cannot be deleted") ?>" + <a title="<?= t("This default group cannot be deleted")->for_html_attr() ?>" class="gDialogLink gButtonLink ui-state-disabled ui-corner-all ui-icon-left"> <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a> <? endif ?> @@ -22,7 +22,7 @@ <a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)" class="gButtonLink ui-state-default ui-corner-all ui-icon-left" title="<?= t("Remove %user from %group group", - array("user" => $user->name, "group" => $group->name)) ?>"> + array("user" => $user->name, "group" => $group->name))->for_html_attr() ?>"> <span class="ui-icon ui-icon-closethick"><?= t("remove") ?></span> </a> <? endif ?> diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php index 27431ce8..bb670d51 100644 --- a/modules/user/views/login.html.php +++ b/modules/user/views/login.html.php @@ -3,7 +3,7 @@ <? if ($user->guest): ?> <li class="first"> <a href="<?= url::site("login/ajax") ?>" - title="<?= t("Login to Gallery") ?>" + title="<?= t("Login to Gallery")->for_html_attr() ?>" id="gLoginLink"><?= t("Login") ?></a> </li> <? else: ?> diff --git a/modules/watermark/views/admin_watermarks.html.php b/modules/watermark/views/admin_watermarks.html.php index e83a7efa..ac69d21d 100644 --- a/modules/watermark/views/admin_watermarks.html.php +++ b/modules/watermark/views/admin_watermarks.html.php @@ -7,7 +7,7 @@ <? if (empty($name)): ?> <a href="<?= url::site("admin/watermarks/form_add") ?>" - title="<?= t("Upload a watermark") ?>" + title="<?= t("Upload a watermark")->for_html_attr() ?>" class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-document-b"></span><?= t("Upload a watermark") ?></a> <? else: ?> <h2> <?= t("Active Watermark") ?> </h2> @@ -26,10 +26,10 @@ </div> <div class="controls"> <a href="<?= url::site("admin/watermarks/form_edit") ?>" - title="<?= t("Edit Watermark") ?>" + title="<?= t("Edit Watermark")->for_html_attr() ?>" class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-pencil"></span><?= t("edit") ?></a> <a href="<?= url::site("admin/watermarks/form_delete") ?>" - title="<?= t("Delete Watermark") ?>" + title="<?= t("Delete Watermark")->for_html_attr() ?>" class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a> </div> </div> |