From 952c8856098dcfd9673d344fc71be85b303c8fb1 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 22:31:23 -0700
Subject: Adding html::clean(), ::purify(), etc.

---
 modules/gallery/tests/Html_Helper_Test.php | 55 ++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 modules/gallery/tests/Html_Helper_Test.php

(limited to 'modules/gallery/tests/Html_Helper_Test.php')

diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php
new file mode 100644
index 00000000..4d934ad5
--- /dev/null
+++ b/modules/gallery/tests/Html_Helper_Test.php
@@ -0,0 +1,55 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Html_Helper_Test extends Unit_Test_Case {
+  public function clean_test() {
+    $safe_string = html::clean("hello <p  >world</p>");
+    $this->assert_equal("hello &lt;p  &gt;world&lt;/p&gt;",
+			$safe_string);
+    $this->assert_true($safe_string instanceof SafeString);
+  }
+
+  public function purify_test() {
+    $safe_string = html::purify("hello <p  >world</p>");
+    $this->assert_equal("hello <p>world</p>",
+			$safe_string);
+    $this->assert_true($safe_string instanceof SafeString);
+  }
+
+  public function mark_safe_test() {
+    $safe_string = html::mark_safe("hello <p  >world</p>");
+    $this->assert_true($safe_string instanceof SafeString);
+    $safe_string_2 = html::clean($safe_string);
+    $this->assert_equal("hello <p  >world</p>",
+			$safe_string_2);
+  }
+
+  public function escape_for_js_test() {
+    $string = html::escape_for_js("hello's <p  >world</p>");
+    $this->assert_equal("hello\\'s <p  >world<\\/p>",
+			$string);
+  }
+
+  public function clean_attribute_test() {
+    $safe_string = SafeString::of_safe_html("hello's <p  >world</p>");
+    $safe_string = html::clean_attribute($safe_string);
+    $this->assert_equal("hello&#039;s <p  >world</p>",
+			$safe_string);
+  }
+}
\ No newline at end of file
-- 
cgit v1.2.3


From b9bd1681a3b1496c0f1bbe5e6254ab4fd0c9fe30 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 22:54:20 -0700
Subject: Update all code to use helper method html::clean(), html::purify(),
 ... instead of SafeString directly.

---
 modules/comment/controllers/comments.php                   |  8 ++++----
 modules/comment/helpers/comment_rss.php                    |  8 ++++----
 modules/comment/views/admin_block_recent_comments.html.php |  6 +++---
 modules/comment/views/admin_comments.html.php              | 10 +++++-----
 modules/comment/views/comment.html.php                     |  6 +++---
 modules/comment/views/comment.mrss.php                     | 12 ++++++------
 modules/comment/views/comments.html.php                    |  6 +++---
 modules/digibug/controllers/digibug.php                    |  2 +-
 modules/exif/views/exif_dialog.html.php                    |  4 ++--
 modules/g2_import/helpers/g2_import.php                    |  2 +-
 modules/gallery/controllers/admin_advanced_settings.php    |  2 +-
 modules/gallery/controllers/quick.php                      | 10 +++++-----
 modules/gallery/helpers/MY_html.php                        |  4 ++--
 modules/gallery/helpers/gallery_rss.php                    |  4 ++--
 modules/gallery/helpers/gallery_task.php                   |  4 ++--
 modules/gallery/tests/Html_Helper_Test.php                 |  4 ++--
 modules/gallery/tests/Xss_Security_Test.php                |  4 ++--
 modules/gallery/views/admin_advanced_settings.html.php     |  6 +++---
 modules/gallery/views/admin_block_log_entries.html.php     |  2 +-
 modules/gallery/views/admin_block_photo_stream.html.php    |  4 ++--
 modules/gallery/views/admin_languages.html.php             |  4 ++--
 modules/gallery/views/admin_maintenance.html.php           |  4 ++--
 modules/gallery/views/admin_maintenance_show_log.html.php  |  2 +-
 modules/gallery/views/move_tree.html.php                   |  8 ++++----
 modules/gallery/views/permissions_browse.html.php          |  4 ++--
 modules/gallery/views/permissions_form.html.php            |  2 +-
 modules/gallery/views/simple_uploader.html.php             | 14 +++++++-------
 modules/info/views/info_block.html.php                     | 10 +++++-----
 modules/notification/views/comment_published.html.php      | 12 ++++++------
 modules/notification/views/item_added.html.php             |  8 ++++----
 modules/notification/views/item_deleted.html.php           |  6 +++---
 modules/notification/views/item_updated.html.php           | 12 ++++++------
 modules/organize/views/organize_dialog.html.php            |  2 +-
 modules/organize/views/organize_tree.html.php              |  6 +++---
 modules/rss/views/feed.mrss.php                            | 14 +++++++-------
 modules/rss/views/rss_block.html.php                       |  2 +-
 modules/search/views/search.html.php                       |  6 +++---
 modules/server_add/views/admin_server_add.html.php         |  2 +-
 modules/server_add/views/server_add_tree.html.php          |  4 ++--
 modules/server_add/views/server_add_tree_dialog.html.php   |  6 +++---
 modules/tag/controllers/admin_tags.php                     |  2 +-
 modules/tag/views/admin_tags.html.php                      |  6 +++---
 modules/tag/views/tag_cloud.html.php                       |  2 +-
 modules/user/controllers/logout.php                        |  2 +-
 modules/user/views/admin_users.html.php                    |  8 ++++----
 modules/user/views/admin_users_group.html.php              |  4 ++--
 modules/user/views/login.html.php                          |  2 +-
 themes/default/views/album.html.php                        |  6 +++---
 themes/default/views/dynamic.html.php                      |  4 ++--
 themes/default/views/header.html.php                       |  4 ++--
 themes/default/views/movie.html.php                        |  4 ++--
 themes/default/views/photo.html.php                        |  6 +++---
 52 files changed, 143 insertions(+), 143 deletions(-)

(limited to 'modules/gallery/tests/Html_Helper_Test.php')

diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php
index 87633f4c..82b12893 100644
--- a/modules/comment/controllers/comments.php
+++ b/modules/comment/controllers/comments.php
@@ -39,9 +39,9 @@ class Comments_Controller extends REST_Controller {
       foreach ($comments as $comment) {
         $data[] = array(
           "id" => $comment->id,
-          "author_name" => SafeString::of($comment->author_name()),
+          "author_name" => html::clean($comment->author_name()),
           "created" => $comment->created,
-          "text" => nl2br(SafeString::purify($comment->text)));
+          "text" => nl2br(html::purify($comment->text)));
       }
       print json_encode($data);
       break;
@@ -126,9 +126,9 @@ class Comments_Controller extends REST_Controller {
         array("result" => "success",
               "data" => array(
                 "id" => $comment->id,
-                "author_name" => SafeString::of($comment->author_name()),
+                "author_name" => html::clean($comment->author_name()),
                 "created" => $comment->created,
-                "text" => nl2br(SafeString::purify($comment->text)))));
+                "text" => nl2br(html::purify($comment->text)))));
     } else {
       $view = new Theme_View("comment.html", "fragment");
       $view->comment = $comment;
diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php
index 4151dcd0..b539887b 100644
--- a/modules/comment/helpers/comment_rss.php
+++ b/modules/comment/helpers/comment_rss.php
@@ -23,7 +23,7 @@ class comment_rss_Core {
     $feeds["comment/newest"] = t("All new comments");
     if ($item) {
       $feeds["comment/item/$item->id"] =
-        t("Comments on %title", array("title" => SafeString::purify($item->title)));
+        t("Comments on %title", array("title" => html::purify($item->title)));
     }
     return $feeds;
   }
@@ -49,13 +49,13 @@ class comment_rss_Core {
       $item = $comment->item();
       $feed->children[] = new ArrayObject(
         array("pub_date" => date("D, d M Y H:i:s T", $comment->created),
-              "text" => nl2br(SafeString::purify($comment->text)),
+              "text" => nl2br(html::purify($comment->text)),
               "thumb_url" => $item->thumb_url(),
               "thumb_height" => $item->thumb_height,
               "thumb_width" => $item->thumb_width,
               "item_uri" => url::abs_site("{$item->type}s/$item->id"),
-              "title" => SafeString::purify($item->title),
-              "author" => SafeString::of($comment->author_name())),
+              "title" => html::purify($item->title),
+              "author" => html::clean($comment->author_name())),
         ArrayObject::ARRAY_AS_PROPS);
     }
 
diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php
index 2c7a5cf1..dc3975e0 100644
--- a/modules/comment/views/admin_block_recent_comments.html.php
+++ b/modules/comment/views/admin_block_recent_comments.html.php
@@ -4,13 +4,13 @@
   <li class="<?= ($i % 2 == 0) ? "gEvenRow" : "gOddRow" ?>">
     <img src="<?= $comment->author()->avatar_url(32, $theme->url("images/avatar.jpg", true)) ?>"
          class="gAvatar"
-         alt="<?= SafeString::of($comment->author_name()) ?>"
+         alt="<?= html::clean($comment->author_name()) ?>"
          width="32"
          height="32" />
     <?= gallery::date_time($comment->created) ?>
     <?= t('<a href="#">%author_name</a> said <em>%comment_text</em>',
-          array("author_name" => SafeString::of($comment->author_name()),
-                "comment_text" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50))); ?>
+          array("author_name" => html::clean($comment->author_name()),
+                "comment_text" => text::limit_words(nl2br(html::purify($comment->text)), 50))); ?>
   </li>
   <? endforeach ?>
 </ul>
diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php
index 8b0b4c29..801ce2b3 100644
--- a/modules/comment/views/admin_comments.html.php
+++ b/modules/comment/views/admin_comments.html.php
@@ -108,12 +108,12 @@
         <a href="#">
           <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
                class="gAvatar"
-               alt="<?= SafeString::of($comment->author_name()) ?>"
+               alt="<?= html::clean($comment->author_name()) ?>"
                width="40"
                height="40" />
         </a>
-        <p><a href="mailto:<?= SafeString::of($comment->author_email()) ?>"
-              title="<?= SafeString::of($comment->author_email()) ?>"> <?= SafeString::of($comment->author_name()) ?> </a></p>
+        <p><a href="mailto:<?= html::clean($comment->author_email()) ?>"
+              title="<?= html::clean($comment->author_email()) ?>"> <?= html::clean($comment->author_name()) ?> </a></p>
       </td>
       <td>
         <div class="right">
@@ -122,7 +122,7 @@
             <a href="<?= $item->url() ?>">
               <? if ($item->has_thumb()): ?>
               <img src="<?= $item->thumb_url() ?>"
-                 alt="<?= SafeString::purify($item->title) ?>"
+                 alt="<?= html::purify($item->title) ?>"
                  <?= photo::img_dimensions($item->thumb_width, $item->thumb_height, 75) ?>
               />
               <? else: ?>
@@ -132,7 +132,7 @@
           </div>
         </div>
         <p><?= gallery::date($comment->created) ?></p>
-           <?= nl2br(SafeString::purify($comment->text)) ?>
+           <?= nl2br(html::purify($comment->text)) ?>
       </td>
       <td>
         <ul class="gButtonSetVertical">
diff --git a/modules/comment/views/comment.html.php b/modules/comment/views/comment.html.php
index 31bb7f4d..1d0786cb 100644
--- a/modules/comment/views/comment.html.php
+++ b/modules/comment/views/comment.html.php
@@ -4,15 +4,15 @@
     <a href="#">
       <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
            class="gAvatar"
-           alt="<?= SafeString::of($comment->author_name()) ?>"
+           alt="<?= html::clean($comment->author_name()) ?>"
            width="40"
            height="40" />
     </a>
     <?= t("on %date_time, %author_name said",
           array("date_time" => gallery::date_time($comment->created),
-                "author_name" => SafeString::of($comment->author_name()))) ?>
+                "author_name" => html::clean($comment->author_name()))) ?>
   </p>
   <div>
-  <?= nl2br(SafeString::purify($comment->text)) ?>
+  <?= nl2br(html::purify($comment->text)) ?>
   </div>
 </li>
diff --git a/modules/comment/views/comment.mrss.php b/modules/comment/views/comment.mrss.php
index ae7762d9..c2a4b538 100644
--- a/modules/comment/views/comment.mrss.php
+++ b/modules/comment/views/comment.mrss.php
@@ -6,9 +6,9 @@
    xmlns:fh="http://purl.org/syndication/history/1.0">
   <channel>
     <generator>Gallery 3</generator>
-    <title><?= SafeString::of($feed->title) ?></title>
+    <title><?= html::clean($feed->title) ?></title>
     <link><?= $feed->uri ?></link>
-    <description><?= SafeString::of($feed->description) ?></description>
+    <description><?= html::clean($feed->description) ?></description>
     <language>en-us</language>
     <atom:link rel="self" href="<?= $feed->uri ?>" type="application/rss+xml" />
     <fh:complete/>
@@ -22,14 +22,14 @@
     <lastBuildDate><?= $pub_date ?></lastBuildDate>
     <? foreach ($feed->children as $child): ?>
     <item>
-      <title><?= SafeString::purify($child->title) ?></title>
-      <link><?= SafeString::of($child->item_uri) ?></link>
-      <author><?= SafeString::of($child->author) ?></author>
+      <title><?= html::purify($child->title) ?></title>
+      <link><?= html::clean($child->item_uri) ?></link>
+      <author><?= html::clean($child->author) ?></author>
       <guid isPermaLink="true"><?= $child->item_uri ?></guid>
       <pubDate><?= $child->pub_date ?></pubDate>
       <content:encoded>
         <![CDATA[
-          <p><?= nl2br(SafeString::purify($child->text)) ?></p>
+          <p><?= nl2br(html::purify($child->text)) ?></p>
           <p>
             <img alt="" src="<?= $child->thumb_url ?>"
                  height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" />
diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php
index 9eac0502..1e45c946 100644
--- a/modules/comment/views/comments.html.php
+++ b/modules/comment/views/comments.html.php
@@ -18,16 +18,16 @@
       <a href="#">
         <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
              class="gAvatar"
-             alt="<?= SafeString::of($comment->author_name()) ?>"
+             alt="<?= html::clean($comment->author_name()) ?>"
              width="40"
              height="40" />
       </a>
       <?= t('on %date <a href="#">%name</a> said',
             array("date" => date("Y-M-d H:i:s", $comment->created),
-                  "name" => SafeString::of($comment->author_name()))); ?>
+                  "name" => html::clean($comment->author_name()))); ?>
     </p>
     <div>
-      <?= nl2br(SafeString::purify($comment->text)) ?>
+      <?= nl2br(html::purify($comment->text)) ?>
     </div>
   </li>
   <? endforeach ?>
diff --git a/modules/digibug/controllers/digibug.php b/modules/digibug/controllers/digibug.php
index 509a8b70..0939704b 100644
--- a/modules/digibug/controllers/digibug.php
+++ b/modules/digibug/controllers/digibug.php
@@ -50,7 +50,7 @@ class Digibug_Controller extends Controller {
       "image_width_1" => $item->width,
       "thumb_height_1" => $item->thumb_height,
       "thumb_width_1" => $item->thumb_width,
-      "title_1" => SafeString::purify($item->title));
+      "title_1" => html::purify($item->title));
 
     print $v;
   }
diff --git a/modules/exif/views/exif_dialog.html.php b/modules/exif/views/exif_dialog.html.php
index a981ca09..11d1e212 100644
--- a/modules/exif/views/exif_dialog.html.php
+++ b/modules/exif/views/exif_dialog.html.php
@@ -14,14 +14,14 @@
          <?= $details[$i]["caption"] ?>
          </td>
          <td class="gOdd">
-         <?= SafeString::of($details[$i]["value"]) ?>
+         <?= html::clean($details[$i]["value"]) ?>
          </td>
          <? if (!empty($details[++$i])): ?>
            <td class="gEven">
            <?= $details[$i]["caption"] ?>
            </td>
            <td class="gOdd">
-           <?= SafeString::of($details[$i]["value"]) ?>
+           <?= html::clean($details[$i]["value"]) ?>
            </td>
          <? else: ?>
            <td class="gEven"></td><td class="gOdd"></td>
diff --git a/modules/g2_import/helpers/g2_import.php b/modules/g2_import/helpers/g2_import.php
index a01ca1db..7e5c6f75 100644
--- a/modules/g2_import/helpers/g2_import.php
+++ b/modules/g2_import/helpers/g2_import.php
@@ -590,7 +590,7 @@ class g2_import_Core {
     self::map($g2_comment->getId(), $comment->id);
     return t("Imported comment '%comment' for item with id: %id",
              array("id" => $comment->item_id,
-                   "comment" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50)));
+                   "comment" => text::limit_words(nl2br(html::purify($comment->text)), 50)));
   }
 
   /**
diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php
index d727b654..43c77340 100644
--- a/modules/gallery/controllers/admin_advanced_settings.php
+++ b/modules/gallery/controllers/admin_advanced_settings.php
@@ -46,7 +46,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller {
     module::set_var($module_name, $var_name, Input::instance()->post("value"));
     message::success(
       t("Saved value for %var (%module_name)",
-        array("var" => SafeString::of($var_name), "module_name" => $module_name)));
+        array("var" => html::clean($var_name), "module_name" => $module_name)));
 
     print json_encode(array("result" => "success"));
   }
diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php
index 8fddb563..20731f9c 100644
--- a/modules/gallery/controllers/quick.php
+++ b/modules/gallery/controllers/quick.php
@@ -75,7 +75,7 @@ class Quick_Controller extends Controller {
     access::required("view", $item->parent());
     access::required("edit", $item->parent());
 
-    $msg = t("Made <b>%title</b> this album's cover", array("title" => SafeString::purify($item->title)));
+    $msg = t("Made <b>%title</b> this album's cover", array("title" => html::purify($item->title)));
 
     item::make_album_cover($item);
     message::success($msg);
@@ -91,10 +91,10 @@ class Quick_Controller extends Controller {
     if ($item->is_album()) {
       print t(
         "Delete the album <b>%title</b>? All photos and movies in the album will also be deleted.",
-        array("title" => SafeString::purify($item->title)));
+        array("title" => html::purify($item->title)));
     } else {
       print t("Are you sure you want to delete <b>%title</b>?",
-              array("title" => SafeString::purify($item->title)));
+              array("title" => html::purify($item->title)));
     }
 
     $form = item::get_delete_form($item);
@@ -108,9 +108,9 @@ class Quick_Controller extends Controller {
     access::required("edit", $item);
 
     if ($item->is_album()) {
-      $msg = t("Deleted album <b>%title</b>", array("title" => SafeString::purify($item->title)));
+      $msg = t("Deleted album <b>%title</b>", array("title" => html::purify($item->title)));
     } else {
-      $msg = t("Deleted photo <b>%title</b>", array("title" => SafeString::purify($item->title)));
+      $msg = t("Deleted photo <b>%title</b>", array("title" => html::purify($item->title)));
     }
 
     $parent = $item->parent();
diff --git a/modules/gallery/helpers/MY_html.php b/modules/gallery/helpers/MY_html.php
index eb388811..75114898 100644
--- a/modules/gallery/helpers/MY_html.php
+++ b/modules/gallery/helpers/MY_html.php
@@ -65,11 +65,11 @@ class html extends html_Core {
    *
    * Example:<pre>
    *   <script type="text/javascript>"
-   *     var some_js_var = "<?= html::escape_for_js($php_var) ?>";
+   *     var some_js_var = "<?= html::clean_js($php_var) ?>";
    *   </script>
    * </pre>
    */
-  static function escape_for_js($string) {
+  static function clean_js($string) {
     return SafeString::of($string)->for_js();
   }
 
diff --git a/modules/gallery/helpers/gallery_rss.php b/modules/gallery/helpers/gallery_rss.php
index affb3101..dee6ae40 100644
--- a/modules/gallery/helpers/gallery_rss.php
+++ b/modules/gallery/helpers/gallery_rss.php
@@ -53,9 +53,9 @@ class gallery_rss_Core {
         ->descendants($limit, $offset, array("type" => "photo"));
       $feed->max_pages = ceil(
         $item->viewable()->descendants_count(array("type" => "photo")) / $limit);
-      $feed->title = SafeString::purify($item->title);
+      $feed->title = html::purify($item->title);
       $feed->link = url::abs_site("albums/{$item->id}");
-      $feed->description = nl2br(SafeString::purify($item->description));
+      $feed->description = nl2br(html::purify($item->description));
 
       return $feed;
     }
diff --git a/modules/gallery/helpers/gallery_task.php b/modules/gallery/helpers/gallery_task.php
index 8c0e8aa8..c9557324 100644
--- a/modules/gallery/helpers/gallery_task.php
+++ b/modules/gallery/helpers/gallery_task.php
@@ -64,10 +64,10 @@ class gallery_task_Core {
           if (!$success) {
             $ignored[$item->id] = 1;
             $errors[] = t("Unable to rebuild images for '%title'",
-                          array("title" => SafeString::purify($item->title)));
+                          array("title" => html::purify($item->title)));
           } else {
             $errors[] = t("Successfully rebuilt images for '%title'",
-                          array("title" => SafeString::purify($item->title)));
+                          array("title" => html::purify($item->title)));
           }
         }
 
diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php
index 4d934ad5..a9903256 100644
--- a/modules/gallery/tests/Html_Helper_Test.php
+++ b/modules/gallery/tests/Html_Helper_Test.php
@@ -40,8 +40,8 @@ class Html_Helper_Test extends Unit_Test_Case {
 			$safe_string_2);
   }
 
-  public function escape_for_js_test() {
-    $string = html::escape_for_js("hello's <p  >world</p>");
+  public function clean_js_test() {
+    $string = html::clean_js("hello's <p  >world</p>");
     $this->assert_equal("hello\\'s <p  >world<\\/p>",
 			$string);
   }
diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index 8e5f8354..16e5a856 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -151,7 +151,7 @@ class Xss_Security_Test extends Unit_Test_Case {
 	    if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
 		self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
 		in_array($tokens[$token_number + 2][1],
-			 array("clean", "purify", "escape_for_js", "clean_attribute_test")) &&
+			 array("clean", "purify", "clean_js", "clean_attribute")) &&
 		self::_token_matches("(", $tokens, $token_number + 3)) {
               // Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed).
 
@@ -161,7 +161,7 @@ class Xss_Security_Test extends Unit_Test_Case {
 	      $token_number += 3;
 	      $token = $tokens[$token_number];
 
-              if ("escape_for_js" == $method) {
+              if ("clean_js" == $method) {
                 $frame->is_safe_js(true);
               } else {
                 $frame->is_safe_html(true);
diff --git a/modules/gallery/views/admin_advanced_settings.html.php b/modules/gallery/views/admin_advanced_settings.html.php
index adc15b91..4235e8f8 100644
--- a/modules/gallery/views/admin_advanced_settings.html.php
+++ b/modules/gallery/views/admin_advanced_settings.html.php
@@ -20,13 +20,13 @@
     <? if ($var->module_name == "gallery" && $var->name == "_cache") continue ?>
     <tr class="setting">
       <td> <?= $var->module_name ?> </td>
-      <td> <?= SafeString::of($var->name) ?> </td>
+      <td> <?= html::clean($var->name) ?> </td>
       <td>
-        <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . SafeString::of($var->name)) ?>"
+        <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . html::clean($var->name)) ?>"
           class="gDialogLink"
           title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name)) ?>">
           <? if ($var->value): ?>
-          <?= SafeString::of($var->value) ?>
+          <?= html::clean($var->value) ?>
           <? else: ?>
           <i> <?= t("empty") ?> </i>
           <? endif ?>
diff --git a/modules/gallery/views/admin_block_log_entries.html.php b/modules/gallery/views/admin_block_log_entries.html.php
index b7afb22d..780ff2d0 100644
--- a/modules/gallery/views/admin_block_log_entries.html.php
+++ b/modules/gallery/views/admin_block_log_entries.html.php
@@ -2,7 +2,7 @@
 <ul>
   <? foreach ($entries as $entry): ?>
   <li class="<?= log::severity_class($entry->severity) ?>" style="direction: ltr">
-    <a href="<?= url::site("user/$entry->user_id") ?>"><?= SafeString::of($entry->user->name) ?></a>
+    <a href="<?= url::site("user/$entry->user_id") ?>"><?= html::clean($entry->user->name) ?></a>
     <?= gallery::date_time($entry->timestamp) ?>
     <?= $entry->message ?>
     <?= $entry->html ?>
diff --git a/modules/gallery/views/admin_block_photo_stream.html.php b/modules/gallery/views/admin_block_photo_stream.html.php
index 732bdc38..a50836ad 100644
--- a/modules/gallery/views/admin_block_photo_stream.html.php
+++ b/modules/gallery/views/admin_block_photo_stream.html.php
@@ -2,9 +2,9 @@
 <ul>
 <? foreach ($photos as $photo): ?>
   <li class="gItem gPhoto">
-    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= SafeString::of($photo->title) ?>">
+    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::clean($photo->title) ?>">
       <img <?= photo::img_dimensions($photo->width, $photo->height, 72) ?>
-        src="<?= $photo->thumb_url() ?>" alt="<?= SafeString::of($photo->title) ?>" />
+        src="<?= $photo->thumb_url() ?>" alt="<?= html::clean($photo->title) ?>" />
     </a>
   </li>
 <? endforeach ?>
diff --git a/modules/gallery/views/admin_languages.html.php b/modules/gallery/views/admin_languages.html.php
index 4bee9bb1..052d749b 100644
--- a/modules/gallery/views/admin_languages.html.php
+++ b/modules/gallery/views/admin_languages.html.php
@@ -40,7 +40,7 @@
   </form>
 	
 	<script type="text/javascript">
-    var old_default_locale = "<?= SafeString::of($default_locale)->for_js() ?>";
+    var old_default_locale = "<?= html::escape_for_js($default_locale) ?>";
     
     $("input[name='installed_locales[]']").change(function (event) {
       if (this.checked) {
@@ -57,7 +57,7 @@
       dataType: "json",
       success: function(data) {
         if (data.result == "success") {
-          el = $('<a href="<?= url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")->for_js() ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
+          el = $('<a href="<?= html::escape_for_js(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
           el.gallery_dialog();
           el.trigger('click');
         }
diff --git a/modules/gallery/views/admin_maintenance.html.php b/modules/gallery/views/admin_maintenance.html.php
index a1f7b126..05bc0923 100644
--- a/modules/gallery/views/admin_maintenance.html.php
+++ b/modules/gallery/views/admin_maintenance.html.php
@@ -93,7 +93,7 @@
           <?= $task->status ?>
         </td>
         <td>
-          <?= SafeString::of($task->owner()->name) ?>
+          <?= html::clean($task->owner()->name) ?>
         </td>
         <td>
           <? if ($task->state == "stalled"): ?>
@@ -164,7 +164,7 @@
           <?= $task->status ?>
         </td>
         <td>
-          <?= SafeString::of($task->owner()->name) ?>
+          <?= html::clean($task->owner()->name) ?>
         </td>
         <td>
           <? if ($task->done): ?>
diff --git a/modules/gallery/views/admin_maintenance_show_log.html.php b/modules/gallery/views/admin_maintenance_show_log.html.php
index 209aef03..8ea1beb6 100644
--- a/modules/gallery/views/admin_maintenance_show_log.html.php
+++ b/modules/gallery/views/admin_maintenance_show_log.html.php
@@ -12,7 +12,7 @@ appendTo('body').submit().remove();
 <div id="gTaskLogDialog">
   <h1> <?= $task->name ?> </h1>
   <div class="gTaskLog">
-    <pre><?= SafeString::purify($task->get_log()) ?></pre>
+    <pre><?= html::purify($task->get_log()) ?></pre>
   </div>
   <button id="gCloseButton" class="ui-state-default ui-corner-all" onclick="dismiss()"><?= t("Close") ?></button>
   <button id="gSaveButton" class="ui-state-default ui-corner-all" onclick="download()"><?= t("Save") ?></button>
diff --git a/modules/gallery/views/move_tree.html.php b/modules/gallery/views/move_tree.html.php
index 7818a42a..623f80ee 100644
--- a/modules/gallery/views/move_tree.html.php
+++ b/modules/gallery/views/move_tree.html.php
@@ -1,18 +1,18 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <?= $parent->thumb_img(array(), 25); ?>
 <? if (!access::can("edit", $parent) || $source->is_descendant($parent)): ?>
-<a href="javascript:load_tree('<?= $parent->id ?>',1)"> <?= SafeString::of($parent->title) ?> <?= t("(locked)") ?> </a>
+<a href="javascript:load_tree('<?= $parent->id ?>',1)"> <?= html::clean($parent->title) ?> <?= t("(locked)") ?> </a>
 <? else: ?>
-<a href="javascript:load_tree('<?= $parent->id ?>',0)"> <?= SafeString::of($parent->title) ?></a>
+<a href="javascript:load_tree('<?= $parent->id ?>',0)"> <?= html::clean($parent->title) ?></a>
 <? endif ?>
 <ul id="tree_<?= $parent->id ?>">
   <? foreach ($children as $child): ?>
   <li id="node_<?= $child->id ?>" class="node">
     <?= $child->thumb_img(array(), 25); ?>
     <? if (!access::can("edit", $child) || $source->is_descendant($child)): ?>
-    <a href="javascript:load_tree('<?= $child->id ?>',1)"> <?= SafeString::of($child->title) ?> <?= t("(locked)") ?></a>
+    <a href="javascript:load_tree('<?= $child->id ?>',1)"> <?= html::clean($child->title) ?> <?= t("(locked)") ?></a>
     <? else: ?>
-    <a href="javascript:load_tree('<?= $child->id ?>',0)"> <?= SafeString::of($child->title) ?> </a>
+    <a href="javascript:load_tree('<?= $child->id ?>',0)"> <?= html::clean($child->title) ?> </a>
     <? endif ?>
   </li>
   <? endforeach ?>
diff --git a/modules/gallery/views/permissions_browse.html.php b/modules/gallery/views/permissions_browse.html.php
index 90970112..d9395b3f 100644
--- a/modules/gallery/views/permissions_browse.html.php
+++ b/modules/gallery/views/permissions_browse.html.php
@@ -39,13 +39,13 @@
     <? foreach ($parents as $parent): ?>
     <li id="item-<?= $parent->id ?>">
       <a href="javascript:show(<?= $parent->id ?>)">
-        <?= SafeString::purify($parent->title) ?>
+        <?= html::purify($parent->title) ?>
       </a>
     </li>
     <? endforeach ?>
     <li class="active" id="item-<?= $item->id ?>">
       <a href="javascript:show(<?= $item->id ?>)">
-    	<?= SafeString::purify($item->title) ?>
+    	<?= html::purify($item->title) ?>
       </a>
     </li>
   </ul>
diff --git a/modules/gallery/views/permissions_form.html.php b/modules/gallery/views/permissions_form.html.php
index adc0496f..e6b217c5 100644
--- a/modules/gallery/views/permissions_form.html.php
+++ b/modules/gallery/views/permissions_form.html.php
@@ -6,7 +6,7 @@
     <tr>
       <th> </th>
       <? foreach ($groups as $group): ?>
-      <th> <?= SafeString::of($group->name) ?> </th>
+      <th> <?= html::clean($group->name) ?> </th>
       <? endforeach ?>
     </tr>
 
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index 1f185780..b136972a 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -6,7 +6,7 @@
 <!-- hack to set the title for the dialog -->
 <form id="gAddPhotosForm" action="<?= url::site("simple_uploader/finish?csrf=$csrf") ?>">
   <fieldset>
-    <legend> <?= t("Add photos to %album_title", array("album_title" => SafeString::purify($item->title))) ?> </legend>
+    <legend> <?= t("Add photos to %album_title", array("album_title" => html::purify($item->title))) ?> </legend>
   </fieldset>
 </form>
 
@@ -26,9 +26,9 @@
   </p>
   <ul class="gBreadcrumbs">
     <? foreach ($item->parents() as $parent): ?>
-    <li> <?= SafeString::of($parent->title) ?> </li>
+    <li> <?= html::clean($parent->title) ?> </li>
     <? endforeach ?>
-    <li class="active"> <?= SafeString::purify($item->title) ?> </li>
+    <li class="active"> <?= html::purify($item->title) ?> </li>
   </ul>
 
   <p>
@@ -82,13 +82,13 @@
 
 <script type="text/javascript">
   var swfu = new SWFUpload({
-    flash_url: "<?= url::file("lib/swfupload/swfupload.swf")->for_js() ?>",
-    upload_url: "<?= url::site("simple_uploader/add_photo/$item->id")->for_js() ?>",
+    flash_url: "<?= html::escape_for_js(url::file("lib/swfupload/swfupload.swf")) ?>",
+    upload_url: "<?= html::escape_for_js(url::site("simple_uploader/add_photo/$item->id")) ?>",
     post_params: <?= json_encode(array(
       "g3sid" => Session::instance()->id(),
       "user_agent" => Input::instance()->server("HTTP_USER_AGENT"),
       "csrf" => $csrf)) ?>,
-    file_size_limit: "<?= SafeString::of(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")->for_js() ?>",
+    file_size_limit: "<?= html::escape_for_js(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")) ?>",
     file_types: "*.gif;*.jpg;*.jpeg;*.png;*.flv;*.mp4;*.GIF;*.JPG;*.JPEG;*.PNG;*.FLV;*.MP4",
     file_types_description: "<?= t("Photos and Movies")->for_js() ?>",
     file_upload_limit: 1000,
@@ -97,7 +97,7 @@
     debug: false,
 
     // Button settings
-    button_image_url: "<?= url::file("themes/default/images/select-photos-backg.png")->for_js() ?>",
+    button_image_url: "<?= html::escape_for_js(url::file("themes/default/images/select-photos-backg.png")) ?>",
     button_width: "202",
     button_height: "45",
     button_placeholder_id: "gChooseFilesButtonPlaceholder",
diff --git a/modules/info/views/info_block.html.php b/modules/info/views/info_block.html.php
index bfaaee99..d8f36984 100644
--- a/modules/info/views/info_block.html.php
+++ b/modules/info/views/info_block.html.php
@@ -2,18 +2,18 @@
 <ul class="gMetadata">
   <li>
     <strong class="caption"><?= t("Title:") ?></strong>
-    <?= SafeString::purify($item->title) ?>
+    <?= html::purify($item->title) ?>
   </li>
   <? if ($item->description): ?>
   <li>
     <strong class="caption"><?= t("Description:") ?></strong>
-     <?= nl2br(SafeString::purify($item->description)) ?>
+     <?= nl2br(html::purify($item->description)) ?>
   </li>
   <? endif ?>
   <? if (!$item->is_album()): ?>
   <li>
     <strong class="caption"><?= t("File name:") ?></strong>
-    <?= SafeString::of($item->name) ?>
+    <?= html::clean($item->name) ?>
   </li>
   <? endif ?>
   <? if ($item->captured): ?>
@@ -26,9 +26,9 @@
   <li>
     <strong class="caption"><?= t("Owner:") ?></strong>
     <? if ($item->owner->url): ?>
-    <a href="<?= $item->owner->url ?>"><?= SafeString::of($item->owner->display_name()) ?></a>
+    <a href="<?= $item->owner->url ?>"><?= html::clean($item->owner->display_name()) ?></a>
     <? else: ?>
-    <?= SafeString::of($item->owner->display_name()) ?>
+    <?= html::clean($item->owner->display_name()) ?>
     <? endif ?>
   </li>
   <? endif ?>
diff --git a/modules/notification/views/comment_published.html.php b/modules/notification/views/comment_published.html.php
index 02daf921..e39e39c6 100644
--- a/modules/notification/views/comment_published.html.php
+++ b/modules/notification/views/comment_published.html.php
@@ -1,26 +1,26 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= SafeString::of($subject) ?></h2>
+    <h2><?= html::clean($subject) ?></h2>
     <table>
       <tr>
         <td><?= t("Comment:") ?></td>
-  <td><?= nl2br(SafeString::purify($comment->text)) ?></td>
+  <td><?= nl2br(html::purify($comment->text)) ?></td>
       </tr>
       <tr>
         <td><?= t("Author Name:") ?></td>
-        <td><?= SafeString::of($comment->author_name()) ?></td>
+        <td><?= html::clean($comment->author_name()) ?></td>
       </tr>
       <tr>
         <td><?= t("Author Email:") ?></td>
-        <td><?= SafeString::of($comment->author_email()) ?></td>
+        <td><?= html::clean($comment->author_email()) ?></td>
       </tr>
       <tr>
         <td><?= t("Author URL:") ?></td>
-        <td><?= SafeString::of($comment->author_url()) ?></td>
+        <td><?= html::clean($comment->author_url()) ?></td>
       </tr>
       <tr>
         <td><?= t("Url:") ?></td>
diff --git a/modules/notification/views/item_added.html.php b/modules/notification/views/item_added.html.php
index 70b8fca4..f697fea6 100644
--- a/modules/notification/views/item_added.html.php
+++ b/modules/notification/views/item_added.html.php
@@ -1,14 +1,14 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= SafeString::of($subject) ?></h2>
+    <h2><?= html::clean($subject) ?></h2>
     <table>
       <tr>
         <td><?= t("Title:") ?></td>
-        <td><?= SafeString::purify($item->title) ?></td>
+        <td><?= html::purify($item->title) ?></td>
       </tr>
       <tr>
         <td><?= t("Url:") ?></td>
@@ -21,7 +21,7 @@
       <? if ($item->description): ?>
       <tr>
         <td><?= t("Description:") ?></td>
-         <td><?= nl2br(SafeString::purify($item->description)) ?></td>
+         <td><?= nl2br(html::purify($item->description)) ?></td>
       </tr>
       <? endif ?>
     </table>
diff --git a/modules/notification/views/item_deleted.html.php b/modules/notification/views/item_deleted.html.php
index e04fc71b..a51782ff 100644
--- a/modules/notification/views/item_deleted.html.php
+++ b/modules/notification/views/item_deleted.html.php
@@ -1,15 +1,15 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= SafeString::of($subject) ?></h2>
+    <h2><?= html::clean($subject) ?></h2>
     <table>
       <tr>
         <td colspan="2">
           <?= t("To view the changed album %title use the link below.",
-              array("title" => SafeString::purify($item->parent()->title))) ?>
+              array("title" => html::purify($item->parent()->title))) ?>
         </td>
       </tr>
       <tr>
diff --git a/modules/notification/views/item_updated.html.php b/modules/notification/views/item_updated.html.php
index c3a4f795..ba03540a 100644
--- a/modules/notification/views/item_updated.html.php
+++ b/modules/notification/views/item_updated.html.php
@@ -1,18 +1,18 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2> <?= SafeString::of($subject) ?> </h2>
+    <h2> <?= html::clean($subject) ?> </h2>
     <table>
       <tr>
         <? if ($item->original("title") != $item->title): ?>
         <td><?= t("New Title:") ?></td>
-        <td><?= SafeString::of($item->title) ?></td>
+        <td><?= html::clean($item->title) ?></td>
         <? else: ?>
         <td><?= t("Title:") ?></td>
-        <td><?= SafeString::of($item->title) ?></td>
+        <td><?= html::clean($item->title) ?></td>
         <? endif ?>
       </tr>
       <tr>
@@ -22,12 +22,12 @@
       <? if ($item->original("description") != $item->description): ?>
       <tr>
         <td><?= t("New Description:") ?></td>
-        <td><?= SafeString::of($item->description) ?></td>
+        <td><?= html::clean($item->description) ?></td>
       </tr>
       <? elseif (!empty($item->description)): ?>
       <tr>
         <td><?= t("Description:") ?></td>
-        <td><?= SafeString::of($item->description) ?></td>
+        <td><?= html::clean($item->description) ?></td>
       </tr>
       <? endif ?>
     </table>
diff --git a/modules/organize/views/organize_dialog.html.php b/modules/organize/views/organize_dialog.html.php
index 27d5b508..857499aa 100644
--- a/modules/organize/views/organize_dialog.html.php
+++ b/modules/organize/views/organize_dialog.html.php
@@ -5,7 +5,7 @@
   var sort_order_url = "<?= url::site("organize/sort_order/__ALBUM_ID__/__COL__/__DIR__?csrf=$csrf") ?>";
 </script>
 <div id="gOrganize" class="gDialogPanel">
-  <h1 style="display:none"><?= t("Organize %name", array("name" => SafeString::purify($album->title))) ?></h1>
+  <h1 style="display:none"><?= t("Organize %name", array("name" => html::purify($album->title))) ?></h1>
   <div id="bd">
     <div class="yui-gf">
       <div class="yui-u first">
diff --git a/modules/organize/views/organize_tree.html.php b/modules/organize/views/organize_tree.html.php
index 387d5977..5b676889 100644
--- a/modules/organize/views/organize_tree.html.php
+++ b/modules/organize/views/organize_tree.html.php
@@ -5,7 +5,7 @@
   <span class="ui-icon ui-icon-minus">
   </span>
   <span class="gAlbumText" ref="<?= $parent->id ?>">
-    <?= SafeString::of($parent->title) ?>
+    <?= html::clean($parent->title) ?>
   </span>
   <ul class="ui-icon-plus">
     <? endforeach ?>
@@ -17,7 +17,7 @@
       </span>
       <span class="gAlbumText <?= $peer->id == $album->id ? "selected" : "" ?>"
             ref="<?= $peer->id ?>">
-        <?= SafeString::of($peer->title) ?>
+        <?= html::clean($peer->title) ?>
       </span>
 
       <? if ($peer->id == $album->id): ?>
@@ -29,7 +29,7 @@
           </span>
           <span class="gAlbumText"
                 ref="<?= $child->id ?>">
-            <?= SafeString::of($child->title) ?>
+            <?= html::clean($child->title) ?>
           </span>
         </li>
         <? endforeach ?>
diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php
index 7298b7f4..731703c7 100644
--- a/modules/rss/views/feed.mrss.php
+++ b/modules/rss/views/feed.mrss.php
@@ -6,9 +6,9 @@
    xmlns:fh="http://purl.org/syndication/history/1.0">
   <channel>
     <generator>gallery3</generator>
-    <title><?= SafeString::of($feed->title) ?></title>
+    <title><?= html::clean($feed->title) ?></title>
     <link><?= $feed->uri ?></link>
-    <description><?= SafeString::of($feed->description) ?></description>
+    <description><?= html::clean($feed->description) ?></description>
     <language>en-us</language>
     <atom:link rel="self" href="<?= $feed->uri ?>" type="application/rss+xml" />
     <fh:complete/>
@@ -22,25 +22,25 @@
     <lastBuildDate><?= $pub_date ?></lastBuildDate>
     <? foreach ($feed->children as $child): ?>
     <item>
-      <title><?= SafeString::of($child->title) ?></title>
+      <title><?= html::clean($child->title) ?></title>
       <link><?= url::abs_site("{$child->type}s/{$child->id}") ?></link>
       <guid isPermaLink="true"><?= url::abs_site("{$child->type}s/{$child->id}") ?></guid>
       <pubDate><?= date("D, d M Y H:i:s T", $child->created); ?></pubDate>
       <content:encoded>
         <![CDATA[
-          <span><?= SafeString::of($child->description) ?></span>
+          <span><?= html::clean($child->description) ?></span>
           <p>
           <? if ($child->type == "photo" || $child->type == "album"): ?>
             <img alt="" src="<?= $child->resize_url(true) ?>"
-                 title="<?= SafeString::of($child->title) ?>"
+                 title="<?= html::clean($child->title) ?>"
                  height="<?= $child->resize_height ?>" width="<?= $child->resize_width ?>" /><br />
           <? else: ?>
             <a href="<?= url::abs_site("{$child->type}s/{$child->id}") ?>">
             <img alt="" src="<?= $child->thumb_url(true) ?>"
-                 title="<?= SafeString::of($child->title) ?>"
+                 title="<?= html::clean($child->title) ?>"
                  height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" /></a><br />
           <? endif ?>
-            <?= SafeString::of($child->description) ?>
+            <?= html::clean($child->description) ?>
           </p>
         ]]>
       </content:encoded>
diff --git a/modules/rss/views/rss_block.html.php b/modules/rss/views/rss_block.html.php
index cd8db89d..737731b6 100644
--- a/modules/rss/views/rss_block.html.php
+++ b/modules/rss/views/rss_block.html.php
@@ -5,7 +5,7 @@
     <span class="ui-icon-left">
     <a href="<?= rss::url($url) ?>">
       <span class="ui-icon ui-icon-signal-diag"></span>
-      <?= SafeString::purify($title) ?>
+      <?= html::purify($title) ?>
     </a>
     </span>
   </li>
diff --git a/modules/search/views/search.html.php b/modules/search/views/search.html.php
index e5c7b4a6..7963948d 100644
--- a/modules/search/views/search.html.php
+++ b/modules/search/views/search.html.php
@@ -8,7 +8,7 @@
     <ul>
       <li>
         <label for="q"><?= t("Search the gallery") ?></label>
-        <input name="q" id="q" type="text" value="<?= SafeString::of($q)->for_html_attr() ?>"/>
+        <input name="q" id="q" type="text" value="<?= html::clean_attribute($q) ?>"/>
       </li>
       <li>
         <input type="submit" value="<?= t("Search")->for_html_attr() ?>" />
@@ -31,10 +31,10 @@
       <a href="<?= url::site("items/$item->id") ?>">
         <?= $item->thumb_img() ?>
         <p>
-    <?= SafeString::purify($item->title) ?>
+    <?= html::purify($item->title) ?>
         </p>
         <div>
-    <?= nl2br(SafeString::purify($item->description)) ?>
+    <?= nl2br(html::purify($item->description)) ?>
         </div>
       </a>
     </li>
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index c4439bda..b48a19da 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -16,7 +16,7 @@
            class="gRemoveDir ui-icon ui-icon-trash">
           X
         </a>
-        <?= SafeString::of($path) ?>
+        <?= html::clean($path) ?>
       </li>
       <? endforeach ?>
     </ul>
diff --git a/modules/server_add/views/server_add_tree.html.php b/modules/server_add/views/server_add_tree.html.php
index 2f65a590..dbae42c5 100644
--- a/modules/server_add/views/server_add_tree.html.php
+++ b/modules/server_add/views/server_add_tree.html.php
@@ -10,7 +10,7 @@
     <li class="ui-icon-left">
       <span class="ui-icon ui-icon-folder-open"></span>
       <span ondblclick="open_dir('<?= $dir ?>')">
-        <?= SafeString::of(basename($dir)) ?>
+        <?= html::clean(basename($dir)) ?>
       </span>
       <ul>
         <? endforeach ?>
@@ -24,7 +24,7 @@
                 <? endif ?>
                 file="<?= strtr($file, array('"' => '\\"')) ?>"
                 >
-            <?= SafeString::of(basename($file)) ?>
+            <?= html::clean(basename($file)) ?>
           </span>
         </li>
         <? endforeach ?>
diff --git a/modules/server_add/views/server_add_tree_dialog.html.php b/modules/server_add/views/server_add_tree_dialog.html.php
index 912e69b6..8eb6e4df 100644
--- a/modules/server_add/views/server_add_tree_dialog.html.php
+++ b/modules/server_add/views/server_add_tree_dialog.html.php
@@ -5,17 +5,17 @@
 </script>
 
 <div id="gServerAdd">
-  <h1 style="display: none;"><?= t("Add Photos to '%title'", array("title" => SafeString::purify($item->title))) ?></h1>
+  <h1 style="display: none;"><?= t("Add Photos to '%title'", array("title" => html::purify($item->title))) ?></h1>
 
   <p id="gDescription"><?= t("Photos will be added to album:") ?></p>
   <ul class="gBreadcrumbs">
     <? foreach ($item->parents() as $parent): ?>
     <li>
-      <?= SafeString::purify($parent->title) ?>
+      <?= html::purify($parent->title) ?>
     </li>
     <? endforeach ?>
     <li class="active">
-      <?= SafeString::purify($item->title) ?>
+      <?= html::purify($item->title) ?>
     </li>
   </ul>
 
diff --git a/modules/tag/controllers/admin_tags.php b/modules/tag/controllers/admin_tags.php
index f1b4ca3a..8b8dde21 100644
--- a/modules/tag/controllers/admin_tags.php
+++ b/modules/tag/controllers/admin_tags.php
@@ -106,7 +106,7 @@ class Admin_Tags_Controller extends Admin_Controller {
         array("result" => "success",
               "location" => url::site("admin/tags"),
               "tag_id" => $tag->id,
-              "new_tagname" => SafeString::of($tag->name)));
+              "new_tagname" => html::clean($tag->name)));
     } else {
       print json_encode(
         array("result" => "error",
diff --git a/modules/tag/views/admin_tags.html.php b/modules/tag/views/admin_tags.html.php
index 30dd0728..3d805c5e 100644
--- a/modules/tag/views/admin_tags.html.php
+++ b/modules/tag/views/admin_tags.html.php
@@ -32,7 +32,7 @@
           <? $current_letter = strtoupper(mb_substr($tag->name, 0, 1)) ?>
 
           <? if ($i == 0): /* first letter */ ?>
-            <strong><?= SafeString::of($current_letter) ?></strong>
+            <strong><?= html::clean($current_letter) ?></strong>
             <ul>
           <? elseif ($last_letter != $current_letter): /* new letter */ ?>
             <? if ($column_tag_count > $tags_per_column): /* new column */ ?>
@@ -42,12 +42,12 @@
             <? endif ?>
 
             </ul>
-            <strong><?= SafeString::of($current_letter) ?></strong>
+            <strong><?= html::clean($current_letter) ?></strong>
             <ul>
           <? endif ?>
 
           <li>
-            <span id="gTag-<?= $tag->id ?>" class="gEditable tag-name"><?= SafeString::of($tag->name) ?></span>
+            <span id="gTag-<?= $tag->id ?>" class="gEditable tag-name"><?= html::clean($tag->name) ?></span>
             <span class="understate">(<?= $tag->count ?>)</span>
             <a href="<?= url::site("admin/tags/form_delete/$tag->id") ?>"
                class="gDialogLink delete-link gButtonLink">
diff --git a/modules/tag/views/tag_cloud.html.php b/modules/tag/views/tag_cloud.html.php
index b4c6ae34..d6a0b5f8 100644
--- a/modules/tag/views/tag_cloud.html.php
+++ b/modules/tag/views/tag_cloud.html.php
@@ -3,7 +3,7 @@
   <? foreach ($tags as $tag): ?>
   <li class="size<?=(int)(($tag->count / $max_count) * 7) ?>">
     <span><?= $tag->count ?> photos are tagged with </span>
-    <a href="<?= url::site("tags/$tag->id") ?>"><?= SafeString::of($tag->name) ?></a>
+    <a href="<?= url::site("tags/$tag->id") ?>"><?= html::clean($tag->name) ?></a>
   </li>
   <? endforeach ?>
 </ul>
diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php
index 4b141a1c..fc3ced56 100644
--- a/modules/user/controllers/logout.php
+++ b/modules/user/controllers/logout.php
@@ -24,7 +24,7 @@ class Logout_Controller extends Controller {
     $user = user::active();
     user::logout();
     log::info("user", t("User %name logged out", array("name" => $user->name)),
-              html::anchor("user/$user->id", SafeString::of($user->name)));
+              html::anchor("user/$user->id", html::clean($user->name)));
     if ($continue_url = $this->input->get("continue")) {
       $item = url::get_item_from_uri($continue_url);
       if (access::can("view", $item)) {
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 36c4f4fd..9455f9d9 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -68,16 +68,16 @@
         <td id="user-<?= $user->id ?>" class="core-info gDraggable">
           <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>"
                title="<?= t("Drag user onto group below to add as a new member") ?>"
-               alt="<?= SafeString::of($user->name) ?>"
+               alt="<?= html::clean($user->name) ?>"
                width="20"
                height="20" />
-          <?= SafeString::of($user->name) ?>
+          <?= html::clean($user->name) ?>
         </td>
         <td>
-          <?= SafeString::of($user->full_name) ?>
+          <?= html::clean($user->full_name) ?>
         </td>
         <td>
-          <?= SafeString::of($user->email) ?>
+          <?= html::clean($user->email) ?>
         </td>
         <td>
           <?= ($user->last_login == 0) ? "" : gallery::date($user->last_login) ?>
diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php
index f89a4392..8418ebc9 100644
--- a/modules/user/views/admin_users_group.html.php
+++ b/modules/user/views/admin_users_group.html.php
@@ -1,6 +1,6 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <h4>
-  <?= SafeString::of($group->name) ?>
+  <?= html::clean($group->name) ?>
   <? if (!$group->special): ?>
   <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
     title="<?= t("Delete the %name group", array("name" => $group->name)) ?>"
@@ -17,7 +17,7 @@
 <ul>
   <? foreach ($group->users as $i => $user): ?>
   <li class="gUser">
-    <?= SafeString::of($user->name) ?>
+    <?= html::clean($user->name) ?>
     <? if (!$group->special): ?>
     <a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)"
        class="gButtonLink ui-state-default ui-corner-all ui-icon-left"
diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php
index e92513e7..85f673ce 100644
--- a/modules/user/views/login.html.php
+++ b/modules/user/views/login.html.php
@@ -12,7 +12,7 @@
       '<a href="' . url::site("form/edit/users/{$user->id}") .
       '" title="' . t("Edit Your Profile")->for_html_attr() .
       '" id="gUserProfileLink" class="gDialogLink">' .
-      SafeString::of($user->display_name()) . '</a>'))) ?>
+      html::clean($user->display_name()) . '</a>'))) ?>
   </li>
   <li>
     <a href="<?= url::site("logout?csrf=$csrf&amp;continue=" . urlencode(url::current(true))) ?>"
diff --git a/themes/default/views/album.html.php b/themes/default/views/album.html.php
index 8c690f5f..caabeee3 100644
--- a/themes/default/views/album.html.php
+++ b/themes/default/views/album.html.php
@@ -2,8 +2,8 @@
 <? // @todo Set hover on AlbumGrid list items for guest users ?>
 <div id="gInfo">
   <?= $theme->album_top() ?>
-  <h1><?= SafeString::purify($item->title) ?></h1>
-  <div class="gDescription"><?= nl2br(SafeString::purify($item->description)) ?></div>
+  <h1><?= html::purify($item->title) ?></h1>
+  <div class="gDescription"><?= nl2br(html::purify($item->description)) ?></div>
 </div>
 
 <ul id="gAlbumGrid">
@@ -20,7 +20,7 @@
     </a>
     <?= $theme->thumb_bottom($child) ?>
     <?= $theme->context_menu($child, "#gItemId-{$child->id} .gThumbnail") ?>
-    <h2><span></span><a href="<?= $child->url() ?>"><?= SafeString::of($child->title) ?></a></h2>
+    <h2><span></span><a href="<?= $child->url() ?>"><?= html::clean($child->title) ?></a></h2>
     <ul class="gMetadata">
       <?= $theme->thumb_info($child) ?>
     </ul>
diff --git a/themes/default/views/dynamic.html.php b/themes/default/views/dynamic.html.php
index 2d8e04a2..9ed9d69b 100644
--- a/themes/default/views/dynamic.html.php
+++ b/themes/default/views/dynamic.html.php
@@ -3,7 +3,7 @@
   <div id="gAlbumHeaderButtons">
     <?= $theme->dynamic_top() ?>
   </div>
-  <h1><?= SafeString::of($title) ?></h1>
+  <h1><?= html::clean($title) ?></h1>
 </div>
 
 <ul id="gAlbumGrid">
@@ -16,7 +16,7 @@
            width="<?= $child->thumb_width ?>"
            height="<?= $child->thumb_height ?>" />
     </a>
-    <h2><?= SafeString::purify($child->title) ?></h2>
+    <h2><?= html::purify($child->title) ?></h2>
     <?= $theme->thumb_bottom($child) ?>
     <ul class="gMetadata">
       <?= $theme->thumb_info($child) ?>
diff --git a/themes/default/views/header.html.php b/themes/default/views/header.html.php
index 9e34401d..dcfa6fd8 100644
--- a/themes/default/views/header.html.php
+++ b/themes/default/views/header.html.php
@@ -19,10 +19,10 @@
   <? foreach ($parents as $parent): ?>
   <li>
     <a href="<?= url::site("albums/{$parent->id}?show=$item->id") ?>">
-      <?= SafeString::purify($parent->title) ?>
+      <?= html::purify($parent->title) ?>
     </a>
   </li>
   <? endforeach ?>
-  <li class="active"><?= SafeString::purify($item->title) ?></li>
+  <li class="active"><?= html::purify($item->title) ?></li>
 </ul>
 <? endif ?>
diff --git a/themes/default/views/movie.html.php b/themes/default/views/movie.html.php
index 237743b7..910814dd 100644
--- a/themes/default/views/movie.html.php
+++ b/themes/default/views/movie.html.php
@@ -28,8 +28,8 @@
   <?= $item->movie_img(array("class" => "gMovie", "id" => "gMovieId-{$item->id}")) ?>
 
   <div id="gInfo">
-    <h1><?= SafeString::purify($item->title) ?></h1>
-       <div><?= nl2br(SafeString::purify($item->description)) ?></div>
+    <h1><?= html::purify($item->title) ?></h1>
+       <div><?= nl2br(html::purify($item->description)) ?></div>
   </div>
 
   <?= $theme->photo_bottom() ?>
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 5b5cb12b..c601c4cc 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -5,7 +5,7 @@
 <script>
   $(document).ready(function() {
     $(".gFullSizeLink").click(function() {
-      $.gallery_show_full_size("<?= $theme->item()->file_url()->for_js() ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
+      $.gallery_show_full_size("<?= html::escape_for_js($theme->item()->file_url()) ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
       return false;
     });
   });
@@ -51,8 +51,8 @@
   </div>
 
   <div id="gInfo">
-    <h1><?= SafeString::purify($item->title) ?></h1>
-    <div><?= nl2br(SafeString::purify($item->description)) ?></div>
+    <h1><?= html::purify($item->title) ?></h1>
+    <div><?= nl2br(html::purify($item->description)) ?></div>
   </div>
 
   <?= $theme->photo_bottom() ?>
-- 
cgit v1.2.3


From beb711d6a0fedac0d4ca3b9bae162a6ce9d6cdeb Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sun, 30 Aug 2009 15:21:02 -0700
Subject: Rename clean_js to js_string and have it return a complete JS string
 (with delimiters) instead of just the string contents.

Benefits: Using json_encode(), which is very robust. And as a user, it's clearer how to use this API compared to what it was before.
---
 modules/gallery/helpers/MY_html.php         |  4 ++--
 modules/gallery/libraries/SafeString.php    | 14 +++-----------
 modules/gallery/tests/Html_Helper_Test.php  |  6 +++---
 modules/gallery/tests/SafeString_Test.php   |  8 ++++----
 modules/gallery/tests/Xss_Security_Test.php |  4 ++--
 5 files changed, 14 insertions(+), 22 deletions(-)

(limited to 'modules/gallery/tests/Html_Helper_Test.php')

diff --git a/modules/gallery/helpers/MY_html.php b/modules/gallery/helpers/MY_html.php
index 75114898..4522d01c 100644
--- a/modules/gallery/helpers/MY_html.php
+++ b/modules/gallery/helpers/MY_html.php
@@ -65,11 +65,11 @@ class html extends html_Core {
    *
    * Example:<pre>
    *   <script type="text/javascript>"
-   *     var some_js_var = "<?= html::clean_js($php_var) ?>";
+   *     var some_js_string = <?= html::js_string($php_string) ?>;
    *   </script>
    * </pre>
    */
-  static function clean_js($string) {
+  static function js_string($string) {
     return SafeString::of($string)->for_js();
   }
 
diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php
index 9614a213..0767a665 100644
--- a/modules/gallery/libraries/SafeString.php
+++ b/modules/gallery/libraries/SafeString.php
@@ -92,17 +92,17 @@ class SafeString_Core {
   }
 
   /**
-   * Safe for use in JavaScript.
+   * Safe for use as JavaScript string.
    *
    * Example:<pre>
    *   <script type="text/javascript>"
-   *     var some_js_var = "<?= $php_var->for_js() ?>";
+   *     var some_js_var = <?= $php_var->for_js() ?>;
    *   </script>
    * </pre>
    * @return the string escaped for use in JavaScript.
    */
   function for_js() {
-    return self::_escape_for_js($this->_raw_string);
+    return json_encode((string) $this->_raw_string);
   }
 
   /**
@@ -152,14 +152,6 @@ class SafeString_Core {
     return html::specialchars($dirty_html);
   }
 
-  // Escapes special chars (quotes, backslash, etc.) with a backslash sequence.
-  private static function _escape_for_js($string) {
-    // From Smarty plugins/modifier.escape.php
-    // Might want to be stricter here.
-    return strtr($string,
-		 array('\\'=>'\\\\',"'"=>"\\'",'"'=>'\\"',"\r"=>'\\r',"\n"=>'\\n','</'=>'<\/'));
-  }
-
   // Purifies the string, removing any potentially malicious or unsafe HTML / JavaScript.
   private static function _purify_for_html($dirty_html) {
     if (empty(self::$_purifier)) {
diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php
index a9903256..f5ce7fa4 100644
--- a/modules/gallery/tests/Html_Helper_Test.php
+++ b/modules/gallery/tests/Html_Helper_Test.php
@@ -40,9 +40,9 @@ class Html_Helper_Test extends Unit_Test_Case {
 			$safe_string_2);
   }
 
-  public function clean_js_test() {
-    $string = html::clean_js("hello's <p  >world</p>");
-    $this->assert_equal("hello\\'s <p  >world<\\/p>",
+  public function js_string_test() {
+    $string = html::js_string("hello's <p  >world</p>");
+    $this->assert_equal('"hello\'s <p  >world<\\/p>"',
 			$string);
   }
 
diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php
index 0fc7f6f3..ede55240 100644
--- a/modules/gallery/tests/SafeString_Test.php
+++ b/modules/gallery/tests/SafeString_Test.php
@@ -49,7 +49,7 @@ class SafeString_Test extends Unit_Test_Case {
   public function for_js_test() {
     $safe_string = new SafeString('"<em>Foo</em>\'s bar"');
     $js_string = $safe_string->for_js();
-    $this->assert_equal('\\"<em>Foo<\\/em>\\\'s bar\\"',
+    $this->assert_equal('"\\"<em>Foo<\\/em>\'s bar\\""',
 			$js_string);
   }
 
@@ -96,21 +96,21 @@ class SafeString_Test extends Unit_Test_Case {
 
   public function of_fluid_api_test() {
     $escaped_string = SafeString::of("Foo's bar")->for_js();
-    $this->assert_equal("Foo\\'s bar", $escaped_string);
+    $this->assert_equal('"Foo\'s bar"', $escaped_string);
   }
 
   public function safestring_of_safestring_preserves_safe_status_test() {
     $safe_string = SafeString::of_safe_html("hello's <p>world</p>");
     $safe_string_2 = new SafeString($safe_string);
     $this->assert_equal("hello's <p>world</p>", $safe_string_2);
-    $this->assert_equal("hello\\'s <p>world<\\/p>", $safe_string_2->for_js());
+    $this->assert_equal('"hello\'s <p>world<\\/p>"', $safe_string_2->for_js());
   }
 
   public function safestring_of_safestring_preserves_html_safe_status_test() {
     $safe_string = SafeString::of_safe_html("hello's <p>world</p>");
     $safe_string_2 = new SafeString($safe_string);
     $this->assert_equal("hello's <p>world</p>", $safe_string_2);
-    $this->assert_equal("hello\\'s <p>world<\\/p>", $safe_string_2->for_js());
+    $this->assert_equal('"hello\'s <p>world<\\/p>"', $safe_string_2->for_js());
   }
 
   public function safestring_of_safestring_safe_status_override_test() {
diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index b385580d..3a22afc1 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -188,7 +188,7 @@ class Xss_Security_Test extends Unit_Test_Case {
 	    if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
 		self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
 		in_array($tokens[$token_number + 2][1],
-			 array("clean", "purify", "clean_js", "clean_attribute")) &&
+			 array("clean", "purify", "js_string", "clean_attribute")) &&
 		self::_token_matches("(", $tokens, $token_number + 3)) {
               // Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed).
 
@@ -198,7 +198,7 @@ class Xss_Security_Test extends Unit_Test_Case {
 	      $token_number += 3;
 	      $token = $tokens[$token_number];
 
-              if ("clean_js" == $method) {
+              if ("js_string" == $method) {
                 $frame->is_safe_js(true);
               } else {
                 $frame->is_safe_html(true);
-- 
cgit v1.2.3


From df38a890a64dd33eafe3aed51ce8fde732cf8b8b Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sun, 30 Aug 2009 18:07:13 -0700
Subject: Tabs to spaces cleanup

---
 modules/gallery/controllers/admin_languages.php |  32 +-
 modules/gallery/controllers/l10n_client.php     |   8 +-
 modules/gallery/helpers/gallery.php             |   6 +-
 modules/gallery/libraries/SafeString.php        |   4 +-
 modules/gallery/tests/Html_Helper_Test.php      |  10 +-
 modules/gallery/tests/SafeString_Test.php       |  14 +-
 modules/gallery/tests/Xss_Security_Test.php     | 380 ++++++++++++------------
 modules/server_add/helpers/server_add_event.php |   2 +-
 8 files changed, 228 insertions(+), 228 deletions(-)

(limited to 'modules/gallery/tests/Html_Helper_Test.php')

diff --git a/modules/gallery/controllers/admin_languages.php b/modules/gallery/controllers/admin_languages.php
index b1bc4cff..d85c47f9 100644
--- a/modules/gallery/controllers/admin_languages.php
+++ b/modules/gallery/controllers/admin_languages.php
@@ -21,10 +21,10 @@ class Admin_Languages_Controller extends Admin_Controller {
   public function index($share_translations_form=null) {
     $v = new Admin_View("admin.html");
     $v->content = new View("admin_languages.html");
-		$v->content->available_locales = locales::available();
+                $v->content->available_locales = locales::available();
     $v->content->installed_locales = locales::installed();
     $v->content->default_locale = module::get_var("gallery", "default_locale");
-		
+                
     if (empty($share_translations_form)) {
       $share_translations_form = $this->_share_translations_form();
     }
@@ -35,21 +35,21 @@ class Admin_Languages_Controller extends Admin_Controller {
 
   public function save() {
     access::verify_csrf();
-		
-		locales::update_installed($this->input->post("installed_locales"));
-		
-		$installed_locales = array_keys(locales::installed());
+                
+                locales::update_installed($this->input->post("installed_locales"));
+                
+                $installed_locales = array_keys(locales::installed());
     $new_default_locale = $this->input->post("default_locale");
-		if (!in_array($new_default_locale, $installed_locales)) {
-			if (!empty($installed_locales)) {
-				$new_default_locale = $installed_locales[0];
-			} else {
-				$new_default_locale = "en_US";
-			}
-		}
-		module::set_var("gallery", "default_locale", $new_default_locale);
-		
-		print json_encode(array("result" => "success"));
+                if (!in_array($new_default_locale, $installed_locales)) {
+                        if (!empty($installed_locales)) {
+                                $new_default_locale = $installed_locales[0];
+                        } else {
+                                $new_default_locale = "en_US";
+                        }
+                }
+                module::set_var("gallery", "default_locale", $new_default_locale);
+                
+                print json_encode(array("result" => "success"));
   }
 
   public function share() {
diff --git a/modules/gallery/controllers/l10n_client.php b/modules/gallery/controllers/l10n_client.php
index 0775791e..16d39024 100644
--- a/modules/gallery/controllers/l10n_client.php
+++ b/modules/gallery/controllers/l10n_client.php
@@ -90,13 +90,13 @@ class L10n_Client_Controller extends Controller {
     }
 
     $session = Session::instance();
-		$l10n_mode = $session->get("l10n_mode", false);
+                $l10n_mode = $session->get("l10n_mode", false);
     $session->set("l10n_mode", !$l10n_mode);
 
     $redirect_url = "admin/languages";
-		if (!$l10n_mode) {
-			$redirect_url .= "#l10n-client";
-		}
+                if (!$l10n_mode) {
+                        $redirect_url .= "#l10n-client";
+                }
  
     url::redirect($redirect_url);
   }
diff --git a/modules/gallery/helpers/gallery.php b/modules/gallery/helpers/gallery.php
index 122227fc..035ed1da 100644
--- a/modules/gallery/helpers/gallery.php
+++ b/modules/gallery/helpers/gallery.php
@@ -92,7 +92,7 @@ class gallery_Core {
       $can_add = $item && access::can("add", $item);
 
       if ($can_add) {
-      	$menu->append($add_menu = Menu::factory("submenu")
+              $menu->append($add_menu = Menu::factory("submenu")
                     ->id("add_menu")
                     ->label(t("Add")));
         $add_menu->append(Menu::factory("dialog")
@@ -100,11 +100,11 @@ class gallery_Core {
                     ->label(t("Add photos"))
                     ->url(url::site("simple_uploader/app/$item->id")));
         if ($item->is_album()) {
-        	$add_menu->append(Menu::factory("dialog")
+                $add_menu->append(Menu::factory("dialog")
                       ->id("add_album_item")
                       ->label(t("Add an album"))
                       ->url(url::site("form/add/albums/$item->id?type=album")));
-				}
+                                }
       }
 
       $menu->append($options_menu = Menu::factory("submenu")
diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php
index 0767a665..cc542e01 100644
--- a/modules/gallery/libraries/SafeString.php
+++ b/modules/gallery/libraries/SafeString.php
@@ -120,8 +120,8 @@ class SafeString_Core {
   function for_html_attr() {
     $string = (string) $this->for_html();
     return strtr($string,
-		 array("'"=>"&#039;",
-		       '"'=>'&quot;'));
+                 array("'"=>"&#039;",
+                       '"'=>'&quot;'));
   }
 
   /**
diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php
index f5ce7fa4..3623705e 100644
--- a/modules/gallery/tests/Html_Helper_Test.php
+++ b/modules/gallery/tests/Html_Helper_Test.php
@@ -21,14 +21,14 @@ class Html_Helper_Test extends Unit_Test_Case {
   public function clean_test() {
     $safe_string = html::clean("hello <p  >world</p>");
     $this->assert_equal("hello &lt;p  &gt;world&lt;/p&gt;",
-			$safe_string);
+                        $safe_string);
     $this->assert_true($safe_string instanceof SafeString);
   }
 
   public function purify_test() {
     $safe_string = html::purify("hello <p  >world</p>");
     $this->assert_equal("hello <p>world</p>",
-			$safe_string);
+                        $safe_string);
     $this->assert_true($safe_string instanceof SafeString);
   }
 
@@ -37,19 +37,19 @@ class Html_Helper_Test extends Unit_Test_Case {
     $this->assert_true($safe_string instanceof SafeString);
     $safe_string_2 = html::clean($safe_string);
     $this->assert_equal("hello <p  >world</p>",
-			$safe_string_2);
+                        $safe_string_2);
   }
 
   public function js_string_test() {
     $string = html::js_string("hello's <p  >world</p>");
     $this->assert_equal('"hello\'s <p  >world<\\/p>"',
-			$string);
+                        $string);
   }
 
   public function clean_attribute_test() {
     $safe_string = SafeString::of_safe_html("hello's <p  >world</p>");
     $safe_string = html::clean_attribute($safe_string);
     $this->assert_equal("hello&#039;s <p  >world</p>",
-			$safe_string);
+                        $safe_string);
   }
 }
\ No newline at end of file
diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php
index ede55240..0895b7dd 100644
--- a/modules/gallery/tests/SafeString_Test.php
+++ b/modules/gallery/tests/SafeString_Test.php
@@ -21,19 +21,19 @@ class SafeString_Test extends Unit_Test_Case {
   public function toString_escapes_for_html_test() {
     $safe_string = new SafeString("hello <p>world</p>");
     $this->assert_equal("hello &lt;p&gt;world&lt;/p&gt;",
-			$safe_string);
+                        $safe_string);
   }
 
   public function toString_for_safe_string_test() {
     $safe_string = SafeString::of_safe_html("hello <p>world</p>");
     $this->assert_equal("hello <p>world</p>",
-			$safe_string);
+                        $safe_string);
   }
 
   public function for_html_test() {
     $safe_string = new SafeString("hello <p>world</p>");
     $this->assert_equal("hello &lt;p&gt;world&lt;/p&gt;",
-			$safe_string->for_html());
+                        $safe_string->for_html());
   }
 
   public function safestring_of_safestring_test() {
@@ -50,27 +50,27 @@ class SafeString_Test extends Unit_Test_Case {
     $safe_string = new SafeString('"<em>Foo</em>\'s bar"');
     $js_string = $safe_string->for_js();
     $this->assert_equal('"\\"<em>Foo<\\/em>\'s bar\\""',
-			$js_string);
+                        $js_string);
   }
 
   public function for_html_attr_test() {
     $safe_string = new SafeString('"<em>Foo</em>\'s bar"');
     $attr_string = $safe_string->for_html_attr();
     $this->assert_equal('&quot;&lt;em&gt;Foo&lt;/em&gt;&#039;s bar&quot;',
-			$attr_string);
+                        $attr_string);
   }
 
   public function for_html_attr_with_safe_html_test() {
     $safe_string = SafeString::of_safe_html('"<em>Foo</em>\'s bar"');
     $attr_string = $safe_string->for_html_attr();
     $this->assert_equal('&quot;<em>Foo</em>&#039;s bar&quot;',
-			$attr_string);
+                        $attr_string);
   }
 
   public function string_safestring_equality_test() {
     $safe_string = new SafeString("hello <p>world</p>");
     $this->assert_equal("hello <p>world</p>",
-			$safe_string->unescaped());
+                        $safe_string->unescaped());
     $escaped_string = "hello &lt;p&gt;world&lt;/p&gt;";
     $this->assert_equal($escaped_string, $safe_string);
 
diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index 3a22afc1..6c141c52 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -24,9 +24,9 @@ class Xss_Security_Test extends Unit_Test_Case {
       // List of all tokens without whitespace, simplifying parsing.
       $tokens = array();
       foreach (token_get_all(file_get_contents($view)) as $token) {
-	if (!is_array($token) || ($token[0] != T_WHITESPACE)) {
-	  $tokens[] = $token;
-	}
+        if (!is_array($token) || ($token[0] != T_WHITESPACE)) {
+          $tokens[] = $token;
+        }
       }
 
       $frame  = null;
@@ -34,199 +34,199 @@ class Xss_Security_Test extends Unit_Test_Case {
       $in_script_block = false;
 
       for ($token_number = 0; $token_number < count($tokens); $token_number++) {
-	$token = $tokens[$token_number];
-
-	// Are we in a <script> ... </script> block?
-	if (is_array($token) && $token[0] == T_INLINE_HTML) {
-	  $inline_html = $token[1];
-	  // T_INLINE_HTML blocks can be split. Need to handle the case
-	  // where one token has "<scr" and the next has "ipt"
-	  while (self::_token_matches(array(T_INLINE_HTML), $tokens, $token_number + 1)) {
-	    $token_number++;
-	    $token = $tokens[$token_number];
-	    $inline_html .= $token[1];
-	  }
-
-	  if ($frame) {
-	    $frame->expr_append($inline_html);
-	  }
-
-	  // Note: This approach won't catch <script src="..."> blocks if the src
-	  // URL is generated via < ? = url::site() ? > or some other PHP.
-	  // Assume that all such script blocks with a src URL have an
-	  // empty element body.
-	  // But we'll catch closing tags for such blocks, so don't keep track
-	  // of opening / closing tag count since it would be meaningless.
-
-	  // Handle multiple start / end blocks on the same line?
-	  $opening_script_pos = $closing_script_pos = 0;
-	  if (preg_match_all('{</script>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
-	    $last_match = array_pop($matches[0]);
-	    if (is_array($last_match)) {
-	      $closing_script_pos = $last_match[1];
-	    } else {
-	      $closing_script_pos = $last_match;
-	    }
-	  }
-	  if (preg_match('{<script\b[^>]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
-	    $last_match = array_pop($matches[0]);
-	    if (is_array($last_match)) {
-	      $opening_script_pos = $last_match[1];
-	    } else {
-	      $opening_script_pos = $last_match;
-	    }
-	  }
-	  if ($opening_script_pos != $closing_script_pos) {
-	    $in_script_block = $opening_script_pos > $closing_script_pos;
-	  }
-	}
-
-	// Look and report each instance of < ? = ... ? >
-	if (!is_array($token)) {
-	  // A single char token, e.g: ; ( )
-	  if ($frame) {
-	    $frame->expr_append($token);
-	  }
-	} else if ($token[0] == T_OPEN_TAG_WITH_ECHO) {
-	  // No need for a stack here - assume < ? = cannot be nested.
-	  $frame = self::_create_frame($token, $in_script_block);
+        $token = $tokens[$token_number];
+
+        // Are we in a <script> ... </script> block?
+        if (is_array($token) && $token[0] == T_INLINE_HTML) {
+          $inline_html = $token[1];
+          // T_INLINE_HTML blocks can be split. Need to handle the case
+          // where one token has "<scr" and the next has "ipt"
+          while (self::_token_matches(array(T_INLINE_HTML), $tokens, $token_number + 1)) {
+            $token_number++;
+            $token = $tokens[$token_number];
+            $inline_html .= $token[1];
+          }
+
+          if ($frame) {
+            $frame->expr_append($inline_html);
+          }
+
+          // Note: This approach won't catch <script src="..."> blocks if the src
+          // URL is generated via < ? = url::site() ? > or some other PHP.
+          // Assume that all such script blocks with a src URL have an
+          // empty element body.
+          // But we'll catch closing tags for such blocks, so don't keep track
+          // of opening / closing tag count since it would be meaningless.
+
+          // Handle multiple start / end blocks on the same line?
+          $opening_script_pos = $closing_script_pos = 0;
+          if (preg_match_all('{</script>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
+            $last_match = array_pop($matches[0]);
+            if (is_array($last_match)) {
+              $closing_script_pos = $last_match[1];
+            } else {
+              $closing_script_pos = $last_match;
+            }
+          }
+          if (preg_match('{<script\b[^>]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
+            $last_match = array_pop($matches[0]);
+            if (is_array($last_match)) {
+              $opening_script_pos = $last_match[1];
+            } else {
+              $opening_script_pos = $last_match;
+            }
+          }
+          if ($opening_script_pos != $closing_script_pos) {
+            $in_script_block = $opening_script_pos > $closing_script_pos;
+          }
+        }
+
+        // Look and report each instance of < ? = ... ? >
+        if (!is_array($token)) {
+          // A single char token, e.g: ; ( )
+          if ($frame) {
+            $frame->expr_append($token);
+          }
+        } else if ($token[0] == T_OPEN_TAG_WITH_ECHO) {
+          // No need for a stack here - assume < ? = cannot be nested.
+          $frame = self::_create_frame($token, $in_script_block);
         } else if ($frame && $token[0] == T_CLOSE_TAG) {
-	  // Store the < ? = ... ? > block that just ended here.
-	  $found[$view][] = $frame;
-	  $frame = null;
+          // Store the < ? = ... ? > block that just ended here.
+          $found[$view][] = $frame;
+          $frame = null;
         } else if ($frame && $token[0] == T_VARIABLE) {
-	  $frame->expr_append($token[1]);
+          $frame->expr_append($token[1]);
           if ($token[1] == '$theme') {
-	    if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) &&
-		self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
-		in_array($tokens[$token_number + 2][1],
-			 array("thumb_proportion", "site_menu", "album_menu", "tag_menu", "photo_menu",
+            if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) &&
+                self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+                in_array($tokens[$token_number + 2][1],
+                         array("thumb_proportion", "site_menu", "album_menu", "tag_menu", "photo_menu",
                                "context_menu", "pager", "site_status", "messages", "album_blocks",
                                "album_bottom", "album_top", "body_attributes", "credits",
                                "dynamic_bottom", "dynamic_top", "footer", "head", "header_bottom",
                                "header_top", "page_bottom", "page_top", "photo_blocks", "photo_bottom",
                                "photo_top", "resize_bottom", "resize_top", "sidebar_blocks", "sidebar_bottom",
                                "sidebar_top", "thumb_bottom", "thumb_info", "thumb_top")) &&
-		self::_token_matches("(", $tokens, $token_number + 3)) {
+                self::_token_matches("(", $tokens, $token_number + 3)) {
 
-	      $method = $tokens[$token_number + 2][1];
-	      $frame->expr_append("->$method(");
+              $method = $tokens[$token_number + 2][1];
+              $frame->expr_append("->$method(");
 
-	      $token_number += 3;
-	      $token = $tokens[$token_number];
+              $token_number += 3;
+              $token = $tokens[$token_number];
 
               $frame->is_safe_html(true);
-	    } else if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) &&
-		self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
-		in_array($tokens[$token_number + 2][1],
-			 array("css", "script", "url")) &&
-		self::_token_matches("(", $tokens, $token_number + 3) &&
-                // Only allow constant strings here
-                self::_token_matches(array(T_CONSTANT_ENCAPSED_STRING), $tokens, $token_number + 4)) {
+            } else if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) &&
+                       self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+                       in_array($tokens[$token_number + 2][1],
+                                array("css", "script", "url")) &&
+                       self::_token_matches("(", $tokens, $token_number + 3) &&
+                       // Only allow constant strings here
+                       self::_token_matches(array(T_CONSTANT_ENCAPSED_STRING), $tokens, $token_number + 4)) {
 
-	      $method = $tokens[$token_number + 2][1];
-	      $frame->expr_append("->$method(");
+              $method = $tokens[$token_number + 2][1];
+              $frame->expr_append("->$method(");
 
-	      $token_number += 4;
-	      $token = $tokens[$token_number];
+              $token_number += 4;
+              $token = $tokens[$token_number];
 
               $frame->is_safe_html(true);
-	    }
+            }
           }
-	} else if ($frame && $token[0] == T_STRING) {
-	  $frame->expr_append($token[1]);
-	  // t() and t2() are special in that they're guaranteed to return a SafeString().
-	  if (in_array($token[1], array("t", "t2"))) {
-	    if (self::_token_matches("(", $tokens, $token_number + 1)) {
-	      $frame->is_safe_html(true);
-	      $frame->expr_append("(");
-
-	      $token_number++;
-	      $token = $tokens[$token_number];
-	    }
-	  } else if ($token[1] == "SafeString") {
-	    // Looking for SafeString::of(...
-	    if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
-		self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
-		in_array($tokens[$token_number + 2][1], array("of", "purify")) &&
-		self::_token_matches("(", $tokens, $token_number + 3)) {
+        } else if ($frame && $token[0] == T_STRING) {
+          $frame->expr_append($token[1]);
+          // t() and t2() are special in that they're guaranteed to return a SafeString().
+          if (in_array($token[1], array("t", "t2"))) {
+            if (self::_token_matches("(", $tokens, $token_number + 1)) {
+              $frame->is_safe_html(true);
+              $frame->expr_append("(");
+
+              $token_number++;
+              $token = $tokens[$token_number];
+            }
+          } else if ($token[1] == "SafeString") {
+            // Looking for SafeString::of(...
+            if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+                self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+                in_array($tokens[$token_number + 2][1], array("of", "purify")) &&
+                self::_token_matches("(", $tokens, $token_number + 3)) {
               // Not checking for of_safe_html(). We want such calls to be marked dirty (thus reviewed).
 
-	      $frame->is_safe_html(true);
-
-	      $method = $tokens[$token_number + 2][1];
-	      $frame->expr_append("::$method(");
-
-	      $token_number += 3;
-	      $token = $tokens[$token_number];
-	    }
-	  } else if ($token[1] == "json_encode") {
-	    if (self::_token_matches("(", $tokens, $token_number + 1)) {
-	      $frame->is_safe_js(true);
-	      $frame->expr_append("(");
-
-	      $token_number++;
-	      $token = $tokens[$token_number];
-	    }
-	  } else if ($token[1] == "url") {
-	    // url methods return safe HTML
-	    if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
-		self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
-		in_array($tokens[$token_number + 2][1],
-			 array("site", "current", "base", "file", "abs_site", "abs_current",
-			       "abs_file", "merge")) &&
-		self::_token_matches("(", $tokens, $token_number + 3)) {
-	      $frame->is_safe_html(true);
-
-	      $method = $tokens[$token_number + 2][1];
-	      $frame->expr_append("::$method(");
-
-	      $token_number += 3;
-	      $token = $tokens[$token_number];
-	    }
-	  } else if ($token[1] == "html") {
-	    if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
-		self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
-		in_array($tokens[$token_number + 2][1],
-			 array("clean", "purify", "js_string", "clean_attribute")) &&
-		self::_token_matches("(", $tokens, $token_number + 3)) {
+              $frame->is_safe_html(true);
+
+              $method = $tokens[$token_number + 2][1];
+              $frame->expr_append("::$method(");
+
+              $token_number += 3;
+              $token = $tokens[$token_number];
+            }
+          } else if ($token[1] == "json_encode") {
+            if (self::_token_matches("(", $tokens, $token_number + 1)) {
+              $frame->is_safe_js(true);
+              $frame->expr_append("(");
+
+              $token_number++;
+              $token = $tokens[$token_number];
+            }
+          } else if ($token[1] == "url") {
+            // url methods return safe HTML
+            if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+                self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+                in_array($tokens[$token_number + 2][1],
+                         array("site", "current", "base", "file", "abs_site", "abs_current",
+                               "abs_file", "merge")) &&
+                self::_token_matches("(", $tokens, $token_number + 3)) {
+              $frame->is_safe_html(true);
+
+              $method = $tokens[$token_number + 2][1];
+              $frame->expr_append("::$method(");
+
+              $token_number += 3;
+              $token = $tokens[$token_number];
+            }
+          } else if ($token[1] == "html") {
+            if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+                self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+                in_array($tokens[$token_number + 2][1],
+                         array("clean", "purify", "js_string", "clean_attribute")) &&
+                self::_token_matches("(", $tokens, $token_number + 3)) {
               // Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed).
 
-	      $method = $tokens[$token_number + 2][1];
-	      $frame->expr_append("::$method(");
+              $method = $tokens[$token_number + 2][1];
+              $frame->expr_append("::$method(");
 
-	      $token_number += 3;
-	      $token = $tokens[$token_number];
+              $token_number += 3;
+              $token = $tokens[$token_number];
 
               if ("js_string" == $method) {
                 $frame->is_safe_js(true);
               } else {
                 $frame->is_safe_html(true);
               }
-	    }
-	  } 
-	} else if ($frame && $token[0] == T_OBJECT_OPERATOR) {
-	  $frame->expr_append($token[1]);
-
-	  if (self::_token_matches(array(T_STRING), $tokens, $token_number + 1) &&
-	      in_array($tokens[$token_number + 1][1],
-		       array("for_js", "for_html", "purified_html", "for_html_attr")) &&
-	      self::_token_matches("(", $tokens, $token_number + 2)) {
-	    $method = $tokens[$token_number + 1][1];
-	    $frame->expr_append("$method(");
-
-	    $token_number += 2;
-	    $token = $tokens[$token_number];
-
-	    if ("for_js" == $method) {
-	      $frame->is_safe_js(true);
-	    } else {
-	      $frame->is_safe_html(true);
-	    }
-	  }
+            }
+          } 
+        } else if ($frame && $token[0] == T_OBJECT_OPERATOR) {
+          $frame->expr_append($token[1]);
+
+          if (self::_token_matches(array(T_STRING), $tokens, $token_number + 1) &&
+              in_array($tokens[$token_number + 1][1],
+                       array("for_js", "for_html", "purified_html", "for_html_attr")) &&
+              self::_token_matches("(", $tokens, $token_number + 2)) {
+            $method = $tokens[$token_number + 1][1];
+            $frame->expr_append("$method(");
+
+            $token_number += 2;
+            $token = $tokens[$token_number];
+
+            if ("for_js" == $method) {
+              $frame->is_safe_js(true);
+            } else {
+              $frame->is_safe_html(true);
+            }
+          }
         } else if ($frame) {
-	  $frame->expr_append($token[1]);
-	}
+          $frame->expr_append($token[1]);
+        }
       }
     }
 
@@ -252,26 +252,26 @@ class Xss_Security_Test extends Unit_Test_Case {
     ksort($found);
     foreach ($found as $view => $frames) {
       foreach ($frames as $frame) {
-	$state = "DIRTY";
-	if ($frame->in_script_block()) {
-	  $state = "DIRTY_JS";
-	  if ($frame->is_safe_js()) {
-	    $state = "CLEAN";
-	  }
-	} else {
-	  if ($frame->is_safe_html()) {
-	    $state = "CLEAN";
-	  }
-	}
-
-	if ("CLEAN" == $state) {
-	  // Don't print CLEAN instances - No need to update the golden
-	  // file when adding / moving clean instances.
-	  continue;
-	}
-
-	fprintf($fd, "%-60s %-3s %-8s %s\n",
-		$view, $frame->line(), $state, $frame->expr());
+        $state = "DIRTY";
+        if ($frame->in_script_block()) {
+          $state = "DIRTY_JS";
+          if ($frame->is_safe_js()) {
+            $state = "CLEAN";
+          }
+        } else {
+          if ($frame->is_safe_html()) {
+            $state = "CLEAN";
+          }
+        }
+
+        if ("CLEAN" == $state) {
+          // Don't print CLEAN instances - No need to update the golden
+          // file when adding / moving clean instances.
+          continue;
+        }
+
+        fprintf($fd, "%-60s %-3s %-8s %s\n",
+                $view, $frame->line(), $state, $frame->expr());
       }
     }
     fclose($fd);
@@ -280,7 +280,7 @@ class Xss_Security_Test extends Unit_Test_Case {
     $canonical = MODPATH . "gallery/tests/xss_data.txt";
     exec("diff $canonical $new", $output, $return_value);
     $this->assert_false(
-      $return_value, "XSS golden file mismatch.  Output:\n" . implode("\n", $output) );
+                        $return_value, "XSS golden file mismatch.  Output:\n" . implode("\n", $output) );
   }
 
   private static function _create_frame($token, $in_script_block) {
@@ -296,9 +296,9 @@ class Xss_Security_Test extends Unit_Test_Case {
 
     if (is_array($expected_token)) {
       for ($i = 0; $i < count($expected_token); $i++) {
-	if ($expected_token[$i] != $token[$i]) {
-	  return false;
-	}
+        if ($expected_token[$i] != $token[$i]) {
+          return false;
+        }
       }
       return true;
     } else {
diff --git a/modules/server_add/helpers/server_add_event.php b/modules/server_add/helpers/server_add_event.php
index 6b21ec2e..b2d55153 100644
--- a/modules/server_add/helpers/server_add_event.php
+++ b/modules/server_add/helpers/server_add_event.php
@@ -35,7 +35,7 @@ class server_add_event_Core {
       // turn that into a dropdown if there are two different ways to add things.  Do that in a
       // portable way for now.  If we find ourselves duplicating this pattern, we should make an
       // API method for this.
-			$add_menu = $menu->get("add_menu");
+                        $add_menu = $menu->get("add_menu");
       $add_menu->append(Menu::factory("dialog")
                   ->id("server_add")
                   ->label(t("Server add"))
-- 
cgit v1.2.3