From 12f25a7e55d5aab4c4170eaa3bcb761cf5514be2 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 8 Aug 2009 21:26:55 -0700
Subject: Fix the after_install loader to immediately open the "Welcome to
 Gallery 3!" dialog, but not immediately open the "change your password"
 dialog.

---
 modules/gallery/views/after_install_loader.html.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/gallery/views/after_install_loader.html.php')

diff --git a/modules/gallery/views/after_install_loader.html.php b/modules/gallery/views/after_install_loader.html.php
index baf91eed..54484963 100644
--- a/modules/gallery/views/after_install_loader.html.php
+++ b/modules/gallery/views/after_install_loader.html.php
@@ -3,5 +3,5 @@
       title="<?= t("Welcome to Gallery 3") ?>"
       href="<?= url::site("after_install") ?>"/>
 <script type="text/javascript">
-  $(document).ready(function(){openDialog($("#gAfterInstall"));});
+  $(document).ready(function(){$("#gAfterInstall").gallery_dialog({immediate: true});});
 </script>
-- 
cgit v1.2.3


From 2bc73e2e36fefc3c1ee1b8e97e686c6729e58dcb Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Mon, 31 Aug 2009 21:51:57 -0700
Subject: Fix XSS vectors in HTML attributes (mostly t() calls)

---
 .../views/admin_block_recent_comments.html.php     |  2 +-
 modules/comment/views/admin_comments.html.php      |  2 +-
 modules/comment/views/comment.html.php             |  2 +-
 modules/comment/views/comments.html.php            |  2 +-
 modules/exif/views/exif_sidebar.html.php           |  2 +-
 .../gallery/views/admin_advanced_settings.html.php |  2 +-
 .../views/admin_block_photo_stream.html.php        |  4 +--
 modules/gallery/views/admin_modules.html.php       |  2 +-
 modules/gallery/views/admin_themes.html.php        | 12 +++----
 modules/gallery/views/after_install.html.php       |  2 +-
 .../gallery/views/after_install_loader.html.php    |  2 +-
 modules/gallery/views/l10n_client.html.php         |  2 +-
 modules/gallery/views/move_browse.html.php         |  2 +-
 modules/gallery/views/permissions_form.html.php    | 42 +++++++++++-----------
 modules/gallery/views/simple_uploader.html.php     |  2 +-
 modules/rss/views/feed.mrss.php                    | 10 +++---
 modules/search/views/search_link.html.php          |  2 +-
 modules/user/views/admin_users.html.php            | 10 +++---
 modules/user/views/admin_users_group.html.php      |  6 ++--
 modules/user/views/login.html.php                  |  2 +-
 modules/watermark/views/admin_watermarks.html.php  |  6 ++--
 themes/admin_default/views/admin.html.php          |  2 +-
 themes/default/views/page.html.php                 |  4 +--
 themes/default/views/photo.html.php                |  2 +-
 24 files changed, 63 insertions(+), 63 deletions(-)

(limited to 'modules/gallery/views/after_install_loader.html.php')

diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php
index dc3975e0..2afa5bf8 100644
--- a/modules/comment/views/admin_block_recent_comments.html.php
+++ b/modules/comment/views/admin_block_recent_comments.html.php
@@ -4,7 +4,7 @@
   <li class="<?= ($i % 2 == 0) ? "gEvenRow" : "gOddRow" ?>">
     <img src="<?= $comment->author()->avatar_url(32, $theme->url("images/avatar.jpg", true)) ?>"
          class="gAvatar"
-         alt="<?= html::clean($comment->author_name()) ?>"
+         alt="<?= html::clean_attribute($comment->author_name()) ?>"
          width="32"
          height="32" />
     <?= gallery::date_time($comment->created) ?>
diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php
index 588c3ebc..f5970ae1 100644
--- a/modules/comment/views/admin_comments.html.php
+++ b/modules/comment/views/admin_comments.html.php
@@ -122,7 +122,7 @@
             <a href="<?= $item->url() ?>">
               <? if ($item->has_thumb()): ?>
               <img src="<?= $item->thumb_url() ?>"
-                 alt="<?= html::purify($item->title) ?>"
+                 alt="<?= html::purify($item->title)->for_html_attr() ?>"
                  <?= photo::img_dimensions($item->thumb_width, $item->thumb_height, 75) ?>
               />
               <? else: ?>
diff --git a/modules/comment/views/comment.html.php b/modules/comment/views/comment.html.php
index 1d0786cb..ce4e197d 100644
--- a/modules/comment/views/comment.html.php
+++ b/modules/comment/views/comment.html.php
@@ -4,7 +4,7 @@
     <a href="#">
       <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
            class="gAvatar"
-           alt="<?= html::clean($comment->author_name()) ?>"
+           alt="<?= html::clean_attribute($comment->author_name()) ?>"
            width="40"
            height="40" />
     </a>
diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php
index 1e45c946..b7ebdf3a 100644
--- a/modules/comment/views/comments.html.php
+++ b/modules/comment/views/comments.html.php
@@ -18,7 +18,7 @@
       <a href="#">
         <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
              class="gAvatar"
-             alt="<?= html::clean($comment->author_name()) ?>"
+             alt="<?= html::clean_attribute($comment->author_name()) ?>"
              width="40"
              height="40" />
       </a>
diff --git a/modules/exif/views/exif_sidebar.html.php b/modules/exif/views/exif_sidebar.html.php
index ee528613..60c0e1d4 100644
--- a/modules/exif/views/exif_sidebar.html.php
+++ b/modules/exif/views/exif_sidebar.html.php
@@ -1,5 +1,5 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<a id="gExifDataLink" href="<?= url::site("exif/show/{$item->id}") ?>" title="<?= t("Photo Details") ?>"
+<a id="gExifDataLink" href="<?= url::site("exif/show/{$item->id}") ?>" title="<?= t("Photo Details")->for_html_attr() ?>"
   class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all">
   <span class="ui-icon ui-icon-info"></span>
   <?= t("View more information") ?>
diff --git a/modules/gallery/views/admin_advanced_settings.html.php b/modules/gallery/views/admin_advanced_settings.html.php
index 4235e8f8..c3595da5 100644
--- a/modules/gallery/views/admin_advanced_settings.html.php
+++ b/modules/gallery/views/admin_advanced_settings.html.php
@@ -24,7 +24,7 @@
       <td>
         <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . html::clean($var->name)) ?>"
           class="gDialogLink"
-          title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name)) ?>">
+          title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name))->for_html_attr() ?>">
           <? if ($var->value): ?>
           <?= html::clean($var->value) ?>
           <? else: ?>
diff --git a/modules/gallery/views/admin_block_photo_stream.html.php b/modules/gallery/views/admin_block_photo_stream.html.php
index a50836ad..1b9d8ff5 100644
--- a/modules/gallery/views/admin_block_photo_stream.html.php
+++ b/modules/gallery/views/admin_block_photo_stream.html.php
@@ -2,9 +2,9 @@
 <ul>
 <? foreach ($photos as $photo): ?>
   <li class="gItem gPhoto">
-    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::clean($photo->title) ?>">
+    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::purify($photo->title)->for_html_attr() ?>">
       <img <?= photo::img_dimensions($photo->width, $photo->height, 72) ?>
-        src="<?= $photo->thumb_url() ?>" alt="<?= html::clean($photo->title) ?>" />
+        src="<?= $photo->thumb_url() ?>" alt="<?= html::purify($photo->title)->for_html_attr() ?>" />
     </a>
   </li>
 <? endforeach ?>
diff --git a/modules/gallery/views/admin_modules.html.php b/modules/gallery/views/admin_modules.html.php
index 168e20d0..9cf03cb3 100644
--- a/modules/gallery/views/admin_modules.html.php
+++ b/modules/gallery/views/admin_modules.html.php
@@ -27,6 +27,6 @@
       <? $i++ ?>
       <? endforeach ?>
     </table>
-    <input type="submit" value="<?= t("Update") ?>"/>
+    <input type="submit" value="<?= t("Update")->for_html_attr() ?>"/>
   </form>
 </div>
diff --git a/modules/gallery/views/admin_themes.html.php b/modules/gallery/views/admin_themes.html.php
index dc13a6a0..0aac4717 100644
--- a/modules/gallery/views/admin_themes.html.php
+++ b/modules/gallery/views/admin_themes.html.php
@@ -16,7 +16,7 @@
   <h2> <?= t("Gallery theme") ?> </h2>
   <div class="gBlock gSelected">
     <img src="<?= url::file("themes/{$site}/thumbnail.png") ?>"
-         alt="<?= $themes[$site]->name ?>" />
+         alt="<?= html::clean_attribute($themes[$site]->name) ?>" />
     <h3> <?= $themes[$site]->name ?> </h3>
     <p>
       <?= $themes[$site]->description ?>
@@ -30,9 +30,9 @@
     <? if (!$info->site) continue ?>
     <? if ($id == $site) continue ?>
     <div class="gBlock">
-      <a href="<?= url::site("admin/themes/preview/site/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name)) ?>">
+      <a href="<?= url::site("admin/themes/preview/site/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name))->for_html_attr() ?>">
         <img src="<?= url::file("themes/{$id}/thumbnail.png") ?>"
-             alt="<?= $info->name ?>" />
+             alt="<?= html::clean_attribute($info->name) ?>" />
         <h3> <?= $info->name ?> </h3>
         <p>
           <?= $info->description ?>
@@ -54,7 +54,7 @@
   <h2> <?= t("Admin theme") ?> </h2>
   <div class="gBlock gSelected">
     <img src="<?= url::file("themes/{$admin}/thumbnail.png") ?>"
-         alt="<?= $themes[$admin]->name ?>" />
+         alt="<?= html::clean_attribute($themes[$admin]->name) ?>" />
     <h3> <?= $themes[$admin]->name ?> </h3>
     <p>
       <?= $themes[$admin]->description ?>
@@ -68,9 +68,9 @@
     <? if (!$info->admin) continue ?>
     <? if ($id == $admin) continue ?>
     <div class="gBlock">
-      <a href="<?= url::site("admin/themes/preview/admin/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name)) ?>">
+      <a href="<?= url::site("admin/themes/preview/admin/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name))->for_html_attr() ?>">
         <img src="<?= url::file("themes/{$id}/thumbnail.png") ?>"
-             alt="<?= $info->name ?>" />
+             alt="<?= html::clean_attribute($info->name) ?>" />
         <h3> <?= $info->name ?> </h3>
         <p>
           <?= $info->description ?>
diff --git a/modules/gallery/views/after_install.html.php b/modules/gallery/views/after_install.html.php
index b77a1707..897946a2 100644
--- a/modules/gallery/views/after_install.html.php
+++ b/modules/gallery/views/after_install.html.php
@@ -13,7 +13,7 @@
 
 <p>
   <a href="<?= url::site("form/edit/users/{$user->id}") ?>"
-    title="<?= t("Edit Your Profile") ?>"
+    title="<?= t("Edit Your Profile")->for_html_attr() ?>"
     id="gAfterInstallChangePasswordLink" class="gButtonLink ui-state-default ui-corners-all"><?= t("Change Password Now") ?></a>
   <script>
     $("#gAfterInstallChangePasswordLink").gallery_dialog();
diff --git a/modules/gallery/views/after_install_loader.html.php b/modules/gallery/views/after_install_loader.html.php
index 54484963..c2e3e1d9 100644
--- a/modules/gallery/views/after_install_loader.html.php
+++ b/modules/gallery/views/after_install_loader.html.php
@@ -1,6 +1,6 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <span id="gAfterInstall"
-      title="<?= t("Welcome to Gallery 3") ?>"
+      title="<?= t("Welcome to Gallery 3")->for_html_attr() ?>"
       href="<?= url::site("after_install") ?>"/>
 <script type="text/javascript">
   $(document).ready(function(){$("#gAfterInstall").gallery_dialog({immediate: true});});
diff --git a/modules/gallery/views/l10n_client.html.php b/modules/gallery/views/l10n_client.html.php
index c68a63c8..3a43f7d3 100644
--- a/modules/gallery/views/l10n_client.html.php
+++ b/modules/gallery/views/l10n_client.html.php
@@ -66,7 +66,7 @@
           (<a href="http://www.unicode.org/cldr/data/charts/supplemental/language_plural_rules.html"><?= t("learn more about plural forms") ?></a>)
           <?= form::textarea("l10n-edit-plural-translation-other", "", ' rows="2"') ?>
         </div>
-        <input type="submit" name="l10n-edit-save" value="<?= t("Save translation") ?>"/>
+        <input type="submit" name="l10n-edit-save" value="<?= t("Save translation")->for_html_attr() ?>"/>
         <a href="javascript: Gallery.l10nClient.copySourceText()"
            class="gButtonLink ui-state-default ui-corner-all"><?= t("Copy source text") ?></a>
       </form>
diff --git a/modules/gallery/views/move_browse.html.php b/modules/gallery/views/move_browse.html.php
index 4f69c0e9..99728ecc 100644
--- a/modules/gallery/views/move_browse.html.php
+++ b/modules/gallery/views/move_browse.html.php
@@ -42,6 +42,6 @@
   <form method="post" action="<?= url::site("move/save/$source->id") ?>">
     <?= access::csrf_form_field() ?>
     <input type="hidden" name="target_id" value="" />
-    <input type="submit" id="gMoveButton" value="<?= t("Move") ?>" disabled="disabled"/>
+    <input type="submit" id="gMoveButton" value="<?= t("Move")->for_html_attr() ?>" disabled="disabled"/>
   </form>
 </div>
diff --git a/modules/gallery/views/permissions_form.html.php b/modules/gallery/views/permissions_form.html.php
index e6b217c5..a0bb35f2 100644
--- a/modules/gallery/views/permissions_form.html.php
+++ b/modules/gallery/views/permissions_form.html.php
@@ -20,9 +20,9 @@
 
         <? if ($lock): ?>
           <td class="gDenied">
-            <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" title="<?= t('denied and locked through parent album') ?>" alt="<?= t('denied icon') ?>" />
-            <a href="javascript:show(<?= $lock->id ?>)" title="<?= t('click to go to parent album') ?>">
-              <img src="<?= url::file('themes/default/images/ico-lock.png') ?>" alt="<?= t('locked icon') ?>" />
+            <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" title="<?= t('denied and locked through parent album')->for_html_attr() ?>" alt="<?= t('denied icon')->for_html_attr() ?>" />
+            <a href="javascript:show(<?= $lock->id ?>)" title="<?= t('click to go to parent album')->for_html_attr() ?>">
+              <img src="<?= url::file('themes/default/images/ico-lock.png') ?>" alt="<?= t('locked icon')->for_html_attr() ?>" />
             </a>
           </td>
         <? else: ?>
@@ -30,23 +30,23 @@
             <? if ($allowed): ?>
               <td class="gAllowed">
                 <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('allowed through parent album, click to allow explicitly') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-success-pale.png') ?>" alt="<?= t('passive allowed icon') ?>" />
+                  title="<?= t('allowed through parent album, click to allow explicitly')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-success-pale.png') ?>" alt="<?= t('passive allowed icon')->for_html_attr() ?>" />
                 </a>
                 <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('click to deny') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon') ?>" />
+                  title="<?= t('click to deny')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon')->for_html_attr() ?>" />
                 </a>
               </td>
             <? else: ?>
               <td class="gDenied">
                 <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('click to allow') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon') ?>" />
+                  title="<?= t('click to allow')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon')->for_html_attr() ?>" />
                 </a>
                 <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('denied through parent album, click to deny explicitly') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-denied-pale.png') ?>" alt="<?= t('passive denied icon') ?>" />
+                  title="<?= t('denied through parent album, click to deny explicitly')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-denied-pale.png') ?>" alt="<?= t('passive denied icon')->for_html_attr() ?>" />
                 </a>
               </td>
             <? endif ?>
@@ -54,31 +54,31 @@
           <? elseif ($intent === access::DENY): ?>
             <td class="gDenied">
               <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                title="<?= t('click to allow') ?>">
-                <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon') ?>" />
+                title="<?= t('click to allow')->for_html_attr() ?>">
+                <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon')->for_html_attr() ?>" />
               </a>
               <? if ($item->id == 1): ?>
-                <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon') ?>" title="<?= t('denied') ?>"/>
+                <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon')->for_html_attr() ?>" title="<?= t('denied')->for_html_attr() ?>"/>
               <? else: ?>
                 <a href="javascript:set('reset',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('denied, click to reset') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon') ?>" />
+                  title="<?= t('denied, click to reset')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon')->for_html_attr() ?>" />
                 </a>
               <? endif ?>
             </td>
           <? elseif ($intent === access::ALLOW): ?>
             <td class="gAllowed">
               <? if ($item->id == 1): ?>
-                <img src="<?= url::file('themes/default/images/ico-success.png') ?>" title="<?= t("allowed") ?>" alt="<?= t('allowed icon') ?>" />
+                <img src="<?= url::file('themes/default/images/ico-success.png') ?>" title="<?= t("allowed")->for_html_attr() ?>" alt="<?= t('allowed icon')->for_html_attr() ?>" />
               <? else: ?>
                 <a href="javascript:set('reset',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('allowed, click to reset') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-success.png') ?>" alt="<?= t('allowed icon') ?>" />
+                  title="<?= t('allowed, click to reset')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-success.png') ?>" alt="<?= t('allowed icon')->for_html_attr() ?>" />
                 </a>
               <? endif ?>
               <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                title="<?= t('click to deny') ?>">
-                <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon') ?>" />
+                title="<?= t('click to deny')->for_html_attr() ?>">
+                <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon')->for_html_attr() ?>" />
               </a>
             </td>
           <? endif ?>
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index 9cf554ec..7f8a96df 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -35,7 +35,7 @@
     <span id="gUploadQueueInfo">
       <?= t("Upload Queue") ?>
     </span>
-    <a id="gUploadCancel" title="<?= t("Cancel all the pending uploads") ?>" onclick="swfu.cancelQueue();"><?= t("cancel") ?></a>
+    <a id="gUploadCancel" title="<?= t("Cancel all the pending uploads")->for_html_attr() ?>" onclick="swfu.cancelQueue();"><?= t("cancel") ?></a>
   </p>
   <div id="gAddPhotosCanvas" style="text-align: center;">
     <div id="gAddPhotosQueue"></div>
diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php
index 731703c7..3612cbc0 100644
--- a/modules/rss/views/feed.mrss.php
+++ b/modules/rss/views/feed.mrss.php
@@ -22,25 +22,25 @@
     <lastBuildDate><?= $pub_date ?></lastBuildDate>
     <? foreach ($feed->children as $child): ?>
     <item>
-      <title><?= html::clean($child->title) ?></title>
+      <title><?= html::purify($child->title) ?></title>
       <link><?= url::abs_site("{$child->type}s/{$child->id}") ?></link>
       <guid isPermaLink="true"><?= url::abs_site("{$child->type}s/{$child->id}") ?></guid>
       <pubDate><?= date("D, d M Y H:i:s T", $child->created); ?></pubDate>
       <content:encoded>
         <![CDATA[
-          <span><?= html::clean($child->description) ?></span>
+          <span><?= html::purify($child->description) ?></span>
           <p>
           <? if ($child->type == "photo" || $child->type == "album"): ?>
             <img alt="" src="<?= $child->resize_url(true) ?>"
-                 title="<?= html::clean($child->title) ?>"
+                 title="<?= html::purify($child->title)->for_html_attr() ?>"
                  height="<?= $child->resize_height ?>" width="<?= $child->resize_width ?>" /><br />
           <? else: ?>
             <a href="<?= url::abs_site("{$child->type}s/{$child->id}") ?>">
             <img alt="" src="<?= $child->thumb_url(true) ?>"
-                 title="<?= html::clean($child->title) ?>"
+                 title="<?= html::purify($child->title)->for_html_attr() ?>"
                  height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" /></a><br />
           <? endif ?>
-            <?= html::clean($child->description) ?>
+            <?= html::purify($child->description) ?>
           </p>
         ]]>
       </content:encoded>
diff --git a/modules/search/views/search_link.html.php b/modules/search/views/search_link.html.php
index 3f1bca91..51bb4e14 100644
--- a/modules/search/views/search_link.html.php
+++ b/modules/search/views/search_link.html.php
@@ -6,7 +6,7 @@
       <input type="text" name="q" id="gSearch"/>
     </li>
     <li>
-      <input type="submit" value="<?= t("Go") ?>" />
+      <input type="submit" value="<?= t("Go")->for_html_attr() ?>" />
     </li>
   </ul>
 </form>
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 9455f9d9..c065e4b1 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -44,7 +44,7 @@
 <div class="gBlock">
   <a href="<?= url::site("admin/users/add_user_form") ?>"
       class="gDialogLink gButtonLink right ui-icon-left ui-state-default ui-corner-all"
-      title="<?= t("Create a new user") ?>">
+      title="<?= t("Create a new user")->for_html_attr() ?>">
     <span class="ui-icon ui-icon-circle-plus"></span>
     <?= t("Add a new user") ?>
   </a>
@@ -67,8 +67,8 @@
       <tr id="gUser-<?= $user->id ?>" class="<?= text::alternate("gOddRow", "gEvenRow") ?> user <?= $user->admin ? "admin" : "" ?>">
         <td id="user-<?= $user->id ?>" class="core-info gDraggable">
           <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>"
-               title="<?= t("Drag user onto group below to add as a new member") ?>"
-               alt="<?= html::clean($user->name) ?>"
+               title="<?= t("Drag user onto group below to add as a new member")->for_html_attr() ?>"
+               alt="<?= html::clean_attribute($user->name) ?>"
                width="20"
                height="20" />
           <?= html::clean($user->name) ?>
@@ -92,7 +92,7 @@
               class="gDialogLink gButtonLink ui-state-default ui-corner-all ui-icon-left">
             <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a>
           <? else: ?>
-          <span title="<?= t("This user cannot be deleted") ?>"
+          <span title="<?= t("This user cannot be deleted")->for_html_attr() ?>"
               class="gButtonLink ui-state-disabled ui-corner-all ui-icon-left">
             <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></span>
           <? endif ?>
@@ -106,7 +106,7 @@
 <div id="gGroupAdmin" class="gBlock">
   <a href="<?= url::site("admin/users/add_group_form") ?>"
       class="gDialogLink gButtonLink right ui-icon-left ui-state-default ui-corner-all"
-      title="<?= t("Create a new group") ?>">
+      title="<?= t("Create a new group")->for_html_attr() ?>">
     <span class="ui-icon ui-icon-circle-plus"></span>
     <?= t("Add a new group") ?>
   </a>
diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php
index 8418ebc9..476e0817 100644
--- a/modules/user/views/admin_users_group.html.php
+++ b/modules/user/views/admin_users_group.html.php
@@ -3,11 +3,11 @@
   <?= html::clean($group->name) ?>
   <? if (!$group->special): ?>
   <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
-    title="<?= t("Delete the %name group", array("name" => $group->name)) ?>"
+    title="<?= t("Delete the %name group", array("name" => $group->name))->for_html_attr() ?>"
     class="gDialogLink gButtonLink ui-state-default ui-corner-all">
     <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
   <? else: ?>
-  <a title="<?= t("This default group cannot be deleted") ?>"
+  <a title="<?= t("This default group cannot be deleted")->for_html_attr() ?>"
      class="gDialogLink gButtonLink ui-state-disabled ui-corner-all ui-icon-left">
     <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
   <? endif ?>
@@ -22,7 +22,7 @@
     <a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)"
        class="gButtonLink ui-state-default ui-corner-all ui-icon-left"
        title="<?= t("Remove %user from %group group",
-              array("user" => $user->name, "group" => $group->name)) ?>">
+              array("user" => $user->name, "group" => $group->name))->for_html_attr() ?>">
       <span class="ui-icon ui-icon-closethick"><?= t("remove") ?></span>
     </a>
     <? endif ?>
diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php
index 27431ce8..bb670d51 100644
--- a/modules/user/views/login.html.php
+++ b/modules/user/views/login.html.php
@@ -3,7 +3,7 @@
   <? if ($user->guest): ?>
   <li class="first">
     <a href="<?= url::site("login/ajax") ?>"
-       title="<?= t("Login to Gallery") ?>"
+       title="<?= t("Login to Gallery")->for_html_attr() ?>"
        id="gLoginLink"><?= t("Login") ?></a>
   </li>
   <? else: ?>
diff --git a/modules/watermark/views/admin_watermarks.html.php b/modules/watermark/views/admin_watermarks.html.php
index e83a7efa..ac69d21d 100644
--- a/modules/watermark/views/admin_watermarks.html.php
+++ b/modules/watermark/views/admin_watermarks.html.php
@@ -7,7 +7,7 @@
 
   <? if (empty($name)): ?>
   <a href="<?= url::site("admin/watermarks/form_add") ?>"
-     title="<?= t("Upload a watermark") ?>"
+     title="<?= t("Upload a watermark")->for_html_attr() ?>"
      class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-document-b"></span><?= t("Upload a watermark") ?></a>
   <? else: ?>
   <h2> <?= t("Active Watermark") ?> </h2>
@@ -26,10 +26,10 @@
     </div>
     <div class="controls">
       <a href="<?= url::site("admin/watermarks/form_edit") ?>"
-         title="<?= t("Edit Watermark") ?>"
+         title="<?= t("Edit Watermark")->for_html_attr() ?>"
          class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-pencil"></span><?= t("edit") ?></a>
       <a href="<?= url::site("admin/watermarks/form_delete") ?>"
-         title="<?= t("Delete Watermark") ?>"
+         title="<?= t("Delete Watermark")->for_html_attr() ?>"
          class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a>
     </div>
   </div>
diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php
index 3b1ff92c..c54fdcb5 100644
--- a/themes/admin_default/views/admin.html.php
+++ b/themes/admin_default/views/admin.html.php
@@ -48,7 +48,7 @@
           <li class="first"><?= html::anchor("albums/1", "&larr; ".t("Back to the Gallery")) ?></li>
           <li id="gLogoutLink"><a href="<?= url::site("logout?continue=albums/1&amp;csrf=$csrf") ?>"><?= t("Logout") ?></a></li>
         </ul>
-        <a id="gLogo" href="<?= url::site("albums/1") ?>" title="<?= t("go back to the Gallery") ?>">
+        <a id="gLogo" href="<?= url::site("albums/1") ?>" title="<?= t("go back to the Gallery")->for_html_attr() ?>">
           &larr; <?= t("back to the ...") ?>
         </a>
         <div id="gSiteAdminMenu" style="display: none;">
diff --git a/themes/default/views/page.html.php b/themes/default/views/page.html.php
index 7d181ea0..1650debe 100644
--- a/themes/default/views/page.html.php
+++ b/themes/default/views/page.html.php
@@ -81,8 +81,8 @@
           <? if ($header_text = module::get_var("gallery", "header_text")): ?>
           <?= $header_text ?>
           <? else: ?>
-          <a id="gLogo" href="<?= url::site("albums/1") ?>" title="<?= t("go back to the Gallery home") ?>">
-            <img width="107" height="48" alt="<?= t("Gallery logo: Your photos on your web site") ?>" src="<?= $theme->url("images/logo.png") ?>" />
+          <a id="gLogo" href="<?= url::site("albums/1") ?>" title="<?= t("go back to the Gallery home")->for_html_attr() ?>">
+            <img width="107" height="48" alt="<?= t("Gallery logo: Your photos on your web site")->for_html_attr() ?>" src="<?= $theme->url("images/logo.png") ?>" />
           </a>
           <? endif ?>
           <div id="gSiteMenu">
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 5289b467..b0096043 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -40,7 +40,7 @@
   <div id="gPhoto">
     <?= $theme->resize_top($item) ?>
     <? if (access::can("view_full", $item)): ?>
-    <a href="<?= $item->file_url() ?>" class="gFullSizeLink" title="<?= t("View full size") ?>">
+    <a href="<?= $item->file_url() ?>" class="gFullSizeLink" title="<?= t("View full size")->for_html_attr() ?>">
       <? endif ?>
       <?= $item->resize_img(array("id" => "gPhotoId-{$item->id}", "class" => "gResize")) ?>
       <? if (access::can("view_full", $item)): ?>
-- 
cgit v1.2.3


From b8053c9ddf3e393f76594e7dccc2f81f7116fd85 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Thu, 10 Sep 2009 21:10:20 -0700
Subject: Rename "after_installer" to "welcome_message" in the code to make it
 clearer what its purpose is.  Add some spacing in the theme for it so that
 it's less cramped.

---
 installer/installer.php                            |  5 +++
 modules/gallery/controllers/after_install.php      | 30 ------------------
 modules/gallery/controllers/welcome_message.php    | 30 ++++++++++++++++++
 modules/gallery/helpers/gallery_theme.php          |  4 +--
 modules/gallery/views/after_install.html.php       | 29 -----------------
 .../gallery/views/after_install_loader.html.php    |  7 -----
 modules/gallery/views/welcome_message.html.php     | 36 ++++++++++++++++++++++
 .../gallery/views/welcome_message_loader.html.php  |  7 +++++
 themes/default/css/screen.css                      |  4 +++
 9 files changed, 84 insertions(+), 68 deletions(-)
 delete mode 100644 modules/gallery/controllers/after_install.php
 create mode 100644 modules/gallery/controllers/welcome_message.php
 delete mode 100644 modules/gallery/views/after_install.html.php
 delete mode 100644 modules/gallery/views/after_install_loader.html.php
 create mode 100644 modules/gallery/views/welcome_message.html.php
 create mode 100644 modules/gallery/views/welcome_message_loader.html.php

(limited to 'modules/gallery/views/after_install_loader.html.php')

diff --git a/installer/installer.php b/installer/installer.php
index 7fed25c7..4480e35e 100644
--- a/installer/installer.php
+++ b/installer/installer.php
@@ -47,6 +47,11 @@ class installer {
   }
 
   static function unpack_var() {
+    if (!file_exists(VARPATH)) {
+      mkdir(VARPATH);
+      chmod(VARPATH, 0777);
+    }
+
     include(DOCROOT . "installer/init_var.php");
     return true;
   }
diff --git a/modules/gallery/controllers/after_install.php b/modules/gallery/controllers/after_install.php
deleted file mode 100644
index b640092f..00000000
--- a/modules/gallery/controllers/after_install.php
+++ /dev/null
@@ -1,30 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class After_Install_Controller extends Controller {
-  public function index() {
-    if (!user::active()->admin) {
-      url::redirect(item::root()->url());
-    }
-
-    $v = new View("after_install.html");
-    $v->user = user::active();
-    print $v;
-  }
-}
diff --git a/modules/gallery/controllers/welcome_message.php b/modules/gallery/controllers/welcome_message.php
new file mode 100644
index 00000000..a4b690e3
--- /dev/null
+++ b/modules/gallery/controllers/welcome_message.php
@@ -0,0 +1,30 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Welcome_Message_Controller extends Controller {
+  public function index() {
+    if (!user::active()->admin) {
+      url::redirect(item::root()->url());
+    }
+
+    $v = new View("welcome_message.html");
+    $v->user = user::active();
+    print $v;
+  }
+}
diff --git a/modules/gallery/helpers/gallery_theme.php b/modules/gallery/helpers/gallery_theme.php
index 69c5a091..8c97f124 100644
--- a/modules/gallery/helpers/gallery_theme.php
+++ b/modules/gallery/helpers/gallery_theme.php
@@ -70,9 +70,9 @@ class gallery_theme_Core {
       return L10n_Client_Controller::l10n_form();
     }
 
-    if ($session->get("after_install")) {
+    if (true || $session->get("after_install")) {
       $session->delete("after_install");
-      return new View("after_install_loader.html");
+      return new View("welcome_message_loader.html");
     }
   }
 
diff --git a/modules/gallery/views/after_install.html.php b/modules/gallery/views/after_install.html.php
deleted file mode 100644
index 897946a2..00000000
--- a/modules/gallery/views/after_install.html.php
+++ /dev/null
@@ -1,29 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.") ?>
-<h1 style="display: none">
-  <?= t("Welcome to Gallery 3!") ?>
-</h1>
-
-<p>
-  <?= t("Congratulations on choosing Gallery to host your photos.  We're confident that you're going to have a great experience.") ?>
-</p>
-
-<p>
-  <?= t("You're logged in to the <b>%user_name</b> account.  The very first thing you should do is to change your password to something that you'll remember.", array("user_name" => $user->name)) ?>
-</p>
-
-<p>
-  <a href="<?= url::site("form/edit/users/{$user->id}") ?>"
-    title="<?= t("Edit Your Profile")->for_html_attr() ?>"
-    id="gAfterInstallChangePasswordLink" class="gButtonLink ui-state-default ui-corners-all"><?= t("Change Password Now") ?></a>
-  <script>
-    $("#gAfterInstallChangePasswordLink").gallery_dialog();
-  </script>
-</p>
-
-<p>
-  <?= t("Want to learn more? The <a href=\"%url\">Gallery website</a> has news and information about the Gallery project and community.", array("url" => "http://gallery.menalto.com")) ?>
-</p>
-
-<p>
-  <?= t("Having problems? There's lots of information in our <a href=\"%codex_url\">documentation site</a> or you can <a href=\"%forum_url\">ask for help in the forums!</a>", array("codex_url" => "http://codex.gallery2.org/Main_Page", "forum_url" => "http://gallery.menalto.com/forum")) ?>
-</ul>
diff --git a/modules/gallery/views/after_install_loader.html.php b/modules/gallery/views/after_install_loader.html.php
deleted file mode 100644
index c2e3e1d9..00000000
--- a/modules/gallery/views/after_install_loader.html.php
+++ /dev/null
@@ -1,7 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.") ?>
-<span id="gAfterInstall"
-      title="<?= t("Welcome to Gallery 3")->for_html_attr() ?>"
-      href="<?= url::site("after_install") ?>"/>
-<script type="text/javascript">
-  $(document).ready(function(){$("#gAfterInstall").gallery_dialog({immediate: true});});
-</script>
diff --git a/modules/gallery/views/welcome_message.html.php b/modules/gallery/views/welcome_message.html.php
new file mode 100644
index 00000000..5515c3dc
--- /dev/null
+++ b/modules/gallery/views/welcome_message.html.php
@@ -0,0 +1,36 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<div id="gWelcomeMessage">
+  <h1 style="display: none">
+    <?= t("Welcome to Gallery 3!") ?>
+  </h1>
+
+  <p>
+    <h2>
+      <?= t("Congratulations on choosing Gallery to host your photos.  You're going to have a great experience!") ?>
+    </h2>
+  </p>
+
+  <p>
+    <?= t("First things first.  You're logged in to the <b>%user_name</b> account.  You should change your password to something that you'll remember.", array("user_name" => $user->name)) ?>
+  </p>
+
+  <p>
+    <a href="<?= url::site("form/edit/users/{$user->id}") ?>"
+      title="<?= t("Edit Your Profile")->for_html_attr() ?>"
+      id="gAfterInstallChangePasswordLink"
+      class="gButtonLink ui-state-default ui-corners-all">
+      <?= t("Change Password Now") ?>
+    </a>
+    <script>
+      $("#gAfterInstallChangePasswordLink").gallery_dialog();
+    </script>
+  </p>
+
+  <p>
+    <?= t("Want to learn more? The <a href=\"%url\">Gallery website</a> has news and information about the Gallery project and community.", array("url" => "http://gallery.menalto.com")) ?>
+  </p>
+
+  <p>
+    <?= t("Having problems? There's lots of information in our <a href=\"%codex_url\">documentation site</a> or you can <a href=\"%forum_url\">ask for help in the forums!</a>", array("codex_url" => "http://codex.gallery2.org/Main_Page", "forum_url" => "http://gallery.menalto.com/forum")) ?>
+  </p>
+</div>
diff --git a/modules/gallery/views/welcome_message_loader.html.php b/modules/gallery/views/welcome_message_loader.html.php
new file mode 100644
index 00000000..2c6bffca
--- /dev/null
+++ b/modules/gallery/views/welcome_message_loader.html.php
@@ -0,0 +1,7 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<span id="gWelcomeMessageLink"
+      title="<?= t("Welcome to Gallery 3")->for_html_attr() ?>"
+      href="<?= url::site("welcome_message") ?>"/>
+<script type="text/javascript">
+  $(document).ready(function(){$("#gWelcomeMessageLink").gallery_dialog({immediate: true});});
+</script>
diff --git a/themes/default/css/screen.css b/themes/default/css/screen.css
index fec618e6..d4c23155 100644
--- a/themes/default/css/screen.css
+++ b/themes/default/css/screen.css
@@ -773,6 +773,10 @@ form .gError,
   text-decoration: underline;
 }
 
+#gWelcomeMessage p {
+  padding-bottom: 1em;
+}
+
 /* Pagination ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
 
 .gPager {
-- 
cgit v1.2.3