From 8f9a943f55c1342177d7687e3d891f5d1c9eff30 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Wed, 1 Jul 2009 17:57:39 -0700 Subject: Fix a bunch of XSS vulnerabilities turned up by manual inspection using the checklist in ticket #385. --- modules/gallery/controllers/quick.php | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'modules/gallery/controllers/quick.php') diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php index e89d9701..5d3d8885 100644 --- a/modules/gallery/controllers/quick.php +++ b/modules/gallery/controllers/quick.php @@ -89,7 +89,7 @@ class Quick_Controller extends Controller { access::required("view", $item->parent()); access::required("edit", $item->parent()); - $msg = t("Made %title this album's cover", array("title" => $item->title)); + $msg = t("Made %title this album's cover", array("title" => p::clean($item->title))); item::make_album_cover($item); message::success($msg); @@ -105,9 +105,10 @@ class Quick_Controller extends Controller { if ($item->is_album()) { print t( "Delete the album %title? All photos and movies in the album will also be deleted.", - array("title" => $item->title)); + array("title" => p::clean($item->title))); } else { - print t("Are you sure you want to delete %title?", array("title" => $item->title)); + print t("Are you sure you want to delete %title?", + array("title" => p::clean($item->title))); } $form = item::get_delete_form($item); @@ -121,9 +122,9 @@ class Quick_Controller extends Controller { access::required("edit", $item); if ($item->is_album()) { - $msg = t("Deleted album %title", array("title" => $item->title)); + $msg = t("Deleted album %title", array("title" => p::clean($item->title))); } else { - $msg = t("Deleted photo %title", array("title" => $item->title)); + $msg = t("Deleted photo %title", array("title" => p::clean($item->title))); } $item->delete(); -- cgit v1.2.3