From d5660d2d3ea6e8172272f1eb27e8071a1a42d87b Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 13:41:18 -0700
Subject: Fixing all detected XSS vectors in PHP->JS code.

Xss: Rename UNKNOWN back to DIRTY, JS_XSS to DIRTY_JS.
(using a different flag value to highlight potential XSS vectors in JS)
---
 modules/gallery/tests/Xss_Security_Test.php    | 15 +++++--
 modules/gallery/views/l10n_client.html.php     |  4 +-
 modules/gallery/views/simple_uploader.html.php | 61 +++++++++++++-------------
 modules/organize/views/organize.html.php       | 16 +++----
 themes/admin_default/views/admin.html.php      |  2 +-
 themes/default/views/movie.html.php            |  2 +-
 themes/default/views/page.html.php             |  2 +-
 themes/default/views/photo.html.php            |  4 +-
 8 files changed, 56 insertions(+), 50 deletions(-)

diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index fd596c69..690dc760 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -178,10 +178,10 @@ class Xss_Security_Test extends Unit_Test_Case {
      * Generate the report
      *
      * States for uses of < ? = X ? >:
-     * JS_XSS:
+     * DIRTY_JS:
      *   In <script> block
      *     X can be anything without calling ->for_js()
-     * UNKNOWN:
+     * DIRTY:
      *   Outside <script> block:
      *     X can be anything without a call to ->for_html() or ->purified_html()
      * CLEAN:
@@ -196,9 +196,9 @@ class Xss_Security_Test extends Unit_Test_Case {
     ksort($found);
     foreach ($found as $view => $frames) {
       foreach ($frames as $frame) {
-	$state = "UNKNOWN";
+	$state = "DIRTY";
 	if ($frame->in_script_block()) {
-	  $state = "JS_XSS";
+	  $state = "DIRTY_JS";
 	  if ($frame->for_js_called() || $frame->json_encode_called()) {
 	    $state = "CLEAN";
 	  }
@@ -207,6 +207,13 @@ class Xss_Security_Test extends Unit_Test_Case {
 	    $state = "CLEAN";
 	  }
 	}
+
+	if ("CLEAN" == $state) {
+	  // Don't print CLEAN instances - No need to update the golden
+	  // file when adding / moving clean instances.
+	  continue;
+	}
+
 	fprintf($fd, "%-60s %-3s %-8s %s\n",
 		$view, $frame->line(), $state, $frame->expr());
       }
diff --git a/modules/gallery/views/l10n_client.html.php b/modules/gallery/views/l10n_client.html.php
index c73719ca..523552c3 100644
--- a/modules/gallery/views/l10n_client.html.php
+++ b/modules/gallery/views/l10n_client.html.php
@@ -69,8 +69,8 @@
     </div>
   </div>
   <script type="text/javascript">
-    var MSG_TRANSLATE_TEXT = "<?= t("Translate Text") ?>";
-    var MSG_CLOSE_X = "<?= t("X") ?>";
+    var MSG_TRANSLATE_TEXT = "<?= t("Translate Text")->for_js() ?>";
+    var MSG_CLOSE_X = "<?= t("X")->for_js() ?>";
     var l10n_client_data = <?= json_encode($string_list) ?>;
     var plural_forms = <?= json_encode($plural_forms) ?>;
   </script>
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index 56e568f6..fc426e8f 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -82,27 +82,26 @@
 
 <script type="text/javascript">
   var swfu = new SWFUpload({
-    flash_url: "<?= url::file("lib/swfupload/swfupload.swf") ?>",
-    upload_url: "<?= url::site("simple_uploader/add_photo/$item->id") ?>",
-    post_params: {
-      "g3sid": "<?= Session::instance()->id() ?>",
-      "user_agent": "<?= Input::instance()->server("HTTP_USER_AGENT") ?>",
-      "csrf": "<?= $csrf ?>"
-    },
-    file_size_limit: "<?= ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB" ?>",
+    flash_url: "<?= url::file("lib/swfupload/swfupload.swf")->for_js() ?>",
+    upload_url: "<?= url::site("simple_uploader/add_photo/$item->id")->for_js() ?>",
+    post_params: <?= json_encode(array(
+      "g3sid" => Session::instance()->id(),
+      "user_agent" => Input::instance()->server("HTTP_USER_AGENT"),
+      "csrf" => $csrf)) ?>,
+    file_size_limit: "<?= SafeString::of(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")->for_js() ?>",
     file_types: "*.gif;*.jpg;*.jpeg;*.png;*.flv;*.mp4;*.GIF;*.JPG;*.JPEG;*.PNG;*.FLV;*.MP4",
-    file_types_description: "<?= t("Photos and Movies") ?>",
+    file_types_description: "<?= t("Photos and Movies")->for_js() ?>",
     file_upload_limit: 1000,
     file_queue_limit: 0,
     custom_settings: { },
     debug: false,
 
     // Button settings
-    button_image_url: "<?= url::file("themes/default/images/select-photos-backg.png") ?>",
+    button_image_url: "<?= url::file("themes/default/images/select-photos-backg.png")->for_js() ?>",
     button_width: "202",
     button_height: "45",
     button_placeholder_id: "gChooseFilesButtonPlaceholder",
-    button_text: '<span class="swfUploadFont"><?= t("Select photos...") ?></span>',
+    button_text: <?= json_encode('<span class="swfUploadFont">' . t("Select photos...") . '</span>') ?>,
     button_text_style: ".swfUploadFont { color: #2E6E9E; font-size: 16px; font-family: Lucida Grande,Lucida Sans,Arial,sans-serif; font-weight: bold; }",
     button_text_left_padding: 30,
     button_text_top_padding: 10,
@@ -146,13 +145,13 @@
   function file_queued(file) {
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("pending", "<?= t("Pending...") ?>");
+    fp.set_status("pending", "<?= t("Pending...")->for_js() ?>");
     // @todo add cancel button to call this.cancelUpload(file.id)
   }
 
   function file_queue_error(file, error_code, message) {
     if (error_code === SWFUpload.QUEUE_ERROR.QUEUE_LIMIT_EXCEEDED) {
-      alert("<?= t("You have attempted to queue too many files.") ?>");
+      alert("<?= t("You have attempted to queue too many files.")->for_js() ?>");
       return;
     }
 
@@ -160,20 +159,20 @@
     switch (error_code) {
     case SWFUpload.QUEUE_ERROR.FILE_EXCEEDS_SIZE_LIMIT:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize"))) ?>");
+      fp.set_status("error", "<?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize")))->for_js() ?>");
       break;
     case SWFUpload.QUEUE_ERROR.ZERO_BYTE_FILE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Cannot upload empty files.") ?>");
+      fp.set_status("error", "<?= t("Cannot upload empty files.")->for_js() ?>");
       break;
     case SWFUpload.QUEUE_ERROR.INVALID_FILETYPE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Invalid file type.") ?>");
+      fp.set_status("error", "<?= t("Invalid file type.")->for_js() ?>");
       break;
     default:
       if (file !== null) {
         fp.title.html(file.name);
-        fp.set_status("error", "<?= t("Unknown error") ?>");
+        fp.set_status("error", "<?= t("Unknown error")->for_js() ?>");
       }
       break;
     }
@@ -194,7 +193,7 @@
     // no uploadProgress events are called (limitation in the Linux Flash VM).
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("uploading", "<?= t("Uploading...") ?>");
+    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
     $("#gAddPhotosCanvas").scrollTo(fp.box, 1000);
     return true;
     // @todo add cancel button to call this.cancelUpload(file.id)
@@ -203,7 +202,7 @@
   function upload_progress(file, bytes_loaded, bytes_total) {
     var percent = Math.ceil((bytes_loaded / bytes_total) * 100);
     var fp = new File_Progress(file);
-    fp.set_status("uploading", "<?= t("Uploading...") ?>");
+    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
     fp.progress_bar.css("visibility", "visible");
     fp.progress_bar.progressbar("value", percent);
   }
@@ -211,42 +210,42 @@
   function upload_success(file, serverData) {
     var fp = new File_Progress(file);
     fp.progress_bar.progressbar("value", 100);
-    fp.set_status("complete", "<?= t("Complete.") ?>");
+    fp.set_status("complete", "<?= t("Complete.")->for_js() ?>");
   }
 
   function upload_error(file, error_code, message) {
     var fp = new File_Progress(file);
     switch (error_code) {
     case SWFUpload.UPLOAD_ERROR.HTTP_ERROR:
-      fp.set_status("error", "<?= t("Upload error: ") ?>" + message);
+      fp.set_status("error", "<?= t("Upload error: ")->for_js() ?>" + message);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_FAILED:
-      fp.set_status("error", "<?= t("Upload failed") ?>");
+      fp.set_status("error", "<?= t("Upload failed")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.IO_ERROR:
-      fp.set_status("error", "<?= t("Server error") ?>");
+      fp.set_status("error", "<?= t("Server error")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.SECURITY_ERROR:
-      fp.set_status("error", "<?= t("Security error") ?>");
+      fp.set_status("error", "<?= t("Security error")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_LIMIT_EXCEEDED:
-      fp.set_status("error", "<?= t("Upload limit exceeded") ?>");
+      fp.set_status("error", "<?= t("Upload limit exceeded")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_VALIDATION_FAILED:
-      fp.set_status("error", "<?= t("Failed validation.  File skipped") ?>");
+      fp.set_status("error", "<?= t("Failed validation.  File skipped")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_CANCELLED:
       // If there aren't any files left (they were all cancelled) disable the cancel button
       if (this.getStats().files_queued === 0) {
         $("#gUploadCancel").hide();
       }
-      fp.set_status("error", "<?= t("Cancelled") ?>");
+      fp.set_status("error", "<?= t("Cancelled")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_STOPPED:
-      fp.set_status("error", "<?= t("Stopped") ?>");
+      fp.set_status("error", "<?= t("Stopped")->for_js() ?>");
       break;
     default:
-      fp.set_status("error", "<?= t("Unknown error: ") ?>" + error_code);
+      fp.set_status("error", "<?= t("Unknown error: ")->for_js() ?>" + error_code);
       break;
     }
   }
@@ -260,7 +259,7 @@
   }
 
   function get_completed_status_msg(stats) {
-    var msg = "<?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__")) ?>";
+    var msg = "<?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__"))->for_js() ?>";
     msg = msg.replace("__COMPLETED__", stats.successful_uploads);
     msg = msg.replace("__TOTAL__", stats.files_queued + stats.successful_uploads +
       stats.upload_errors + stats.upload_cancelled + stats.queue_errors);
@@ -269,7 +268,7 @@
 
   // This event comes from the Queue Plugin
   function queue_complete(num_files_uploaded) {
-    var status_msg = "<?= t("Uploaded: __COUNT__") ?>";
+    var status_msg = "<?= t("Uploaded: __COUNT__")->for_js() ?>";
     $("#gUploadStatus").html(status_msg.replace("__COUNT__", num_files_uploaded));
   }
 </script>
diff --git a/modules/organize/views/organize.html.php b/modules/organize/views/organize.html.php
index 1182a887..d2f0aa8c 100644
--- a/modules/organize/views/organize.html.php
+++ b/modules/organize/views/organize.html.php
@@ -1,16 +1,16 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <!-- ?= html::script("modules/organize/js/organize.js") ? -->
 <script>
-  var FATAL_ERROR = "<?= t("Fatal Error") ?>";
-  var PAUSE_BUTTON = "<?= t("Pause") ?>";
-  var RESUME_BUTTON = "<?= t("Resume") ?>";
-  var CANCEL_BUTTON = "<?= t("Cancel") ?>";
-  var INVALID_DROP_TARGET = "<div class=\"gError\"><?= t("Drop cancelled as it would result in a recursive move") ?></div>";
-var CONFIRM_DELETE = "<?= t("Do you really want to delete the selected albums and/or photos") ?>"
+  var FATAL_ERROR = "<?= t("Fatal Error")->for_js() ?>";
+  var PAUSE_BUTTON = "<?= t("Pause")->for_js() ?>";
+  var RESUME_BUTTON = "<?= t("Resume"->for_js()) ?>";
+  var CANCEL_BUTTON = "<?= t("Cancel")->for_js() ?>";
+  var INVALID_DROP_TARGET = "<div class=\"gError\"><?= t("Drop cancelled as it would result in a recursive move")->for_js() ?></div>";
+var CONFIRM_DELETE = "<?= t("Do you really want to delete the selected albums and/or photos")->for_js() ?>"
   var item_id = <?= $item->id ?>;
 
-  var csrf = "<?= $csrf ?>";
-  var rearrangeUrl = "<?= url::site("__URI__/__ITEM_ID____TASK_ID__?csrf=$csrf") ?>";
+  var csrf = <?= json_encode($csrf) ?>;
+  var rearrangeUrl = "<?= url::site("__URI__/__ITEM_ID____TASK_ID__?csrf=$csrf")->for_js() ?>";
   $("#doc3").ready(function() {
     organize_dialog_init();
   });
diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php
index d27f9260..61821428 100644
--- a/themes/admin_default/views/admin.html.php
+++ b/themes/admin_default/views/admin.html.php
@@ -23,7 +23,7 @@
    <?= $theme->script("gallery.common.js") ?>
    <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
    <script type="text/javascript">
-   var MSG_CANCEL = "<?= t('Cancel') ?>";
+   var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
    </script>
    <?= $theme->script("gallery.dialog.js") ?>
    <?= $theme->script("superfish/js/superfish.js") ?>
diff --git a/themes/default/views/movie.html.php b/themes/default/views/movie.html.php
index 1f25a626..75d51eff 100644
--- a/themes/default/views/movie.html.php
+++ b/themes/default/views/movie.html.php
@@ -20,7 +20,7 @@
   </div>
 
   <script type="text/javascript">
-    var ADD_A_COMMENT = "<?= t("Add a comment") ?>";
+    var ADD_A_COMMENT = "<?= t("Add a comment")->for_js() ?>";
   </script>
   <?= $theme->photo_bottom() ?>
 </div>
diff --git a/themes/default/views/page.html.php b/themes/default/views/page.html.php
index ea2be37b..8d9f0caa 100644
--- a/themes/default/views/page.html.php
+++ b/themes/default/views/page.html.php
@@ -51,7 +51,7 @@
     <?= $theme->script("gallery.common.js") ?>
     <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
     <script type="text/javascript">
-    var MSG_CANCEL = "<?= t('Cancel') ?>";
+    var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
     </script>
     <?= $theme->script("gallery.dialog.js") ?>
     <?= $theme->script("gallery.form.js") ?>
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 1f92e9ba..fcf597cf 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -5,7 +5,7 @@
 <script>
   $(document).ready(function() {
     $(".gFullSizeLink").click(function() {
-      show_full_size("<?= $theme->item()->file_url() ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
+      show_full_size("<?= $theme->item()->file_url()->for_js() ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
       return false;
     });
   });
@@ -55,7 +55,7 @@
   </div>
 
   <script type="text/javascript">
-    var ADD_A_COMMENT = "<?= t("Add a comment") ?>";
+    var ADD_A_COMMENT = "<?= t("Add a comment")->for_js() ?>";
   </script>
   <?= $theme->photo_bottom() ?>
 </div>
-- 
cgit v1.2.3