From c01ac42c4604b3b129e8089e0dc683ebd418b380 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 12:48:40 -0700
Subject: Refactor all calls of p::clean() to SafeString::of() and p::purify()
 to SafeString::purify().

Removing any p::clean() calls for arguments to t() and t2() since their args are wrapped in a SafeString anyway.
---
 modules/gallery/views/simple_uploader.html.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'modules/gallery/views/simple_uploader.html.php')

diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index 38ac518c..56e568f6 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -6,7 +6,7 @@
 <!-- hack to set the title for the dialog -->
 <form id="gAddPhotosForm" action="<?= url::site("simple_uploader/finish?csrf=$csrf") ?>">
   <fieldset>
-    <legend> <?= t("Add photos to %album_title", array("album_title" => p::purify($item->title))) ?> </legend>
+    <legend> <?= t("Add photos to %album_title", array("album_title" => SafeString::purify($item->title))) ?> </legend>
   </fieldset>
 </form>
 
@@ -26,9 +26,9 @@
   </p>
   <ul class="gBreadcrumbs">
     <? foreach ($item->parents() as $parent): ?>
-    <li> <?= p::clean($parent->title) ?> </li>
+    <li> <?= SafeString::of($parent->title) ?> </li>
     <? endforeach ?>
-    <li class="active"> <?= p::purify($item->title) ?> </li>
+    <li class="active"> <?= SafeString::purify($item->title) ?> </li>
   </ul>
 
   <p>
-- 
cgit v1.2.3


From d5660d2d3ea6e8172272f1eb27e8071a1a42d87b Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 13:41:18 -0700
Subject: Fixing all detected XSS vectors in PHP->JS code.

Xss: Rename UNKNOWN back to DIRTY, JS_XSS to DIRTY_JS.
(using a different flag value to highlight potential XSS vectors in JS)
---
 modules/gallery/tests/Xss_Security_Test.php    | 15 +++++--
 modules/gallery/views/l10n_client.html.php     |  4 +-
 modules/gallery/views/simple_uploader.html.php | 61 +++++++++++++-------------
 modules/organize/views/organize.html.php       | 16 +++----
 themes/admin_default/views/admin.html.php      |  2 +-
 themes/default/views/movie.html.php            |  2 +-
 themes/default/views/page.html.php             |  2 +-
 themes/default/views/photo.html.php            |  4 +-
 8 files changed, 56 insertions(+), 50 deletions(-)

(limited to 'modules/gallery/views/simple_uploader.html.php')

diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index fd596c69..690dc760 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -178,10 +178,10 @@ class Xss_Security_Test extends Unit_Test_Case {
      * Generate the report
      *
      * States for uses of < ? = X ? >:
-     * JS_XSS:
+     * DIRTY_JS:
      *   In <script> block
      *     X can be anything without calling ->for_js()
-     * UNKNOWN:
+     * DIRTY:
      *   Outside <script> block:
      *     X can be anything without a call to ->for_html() or ->purified_html()
      * CLEAN:
@@ -196,9 +196,9 @@ class Xss_Security_Test extends Unit_Test_Case {
     ksort($found);
     foreach ($found as $view => $frames) {
       foreach ($frames as $frame) {
-	$state = "UNKNOWN";
+	$state = "DIRTY";
 	if ($frame->in_script_block()) {
-	  $state = "JS_XSS";
+	  $state = "DIRTY_JS";
 	  if ($frame->for_js_called() || $frame->json_encode_called()) {
 	    $state = "CLEAN";
 	  }
@@ -207,6 +207,13 @@ class Xss_Security_Test extends Unit_Test_Case {
 	    $state = "CLEAN";
 	  }
 	}
+
+	if ("CLEAN" == $state) {
+	  // Don't print CLEAN instances - No need to update the golden
+	  // file when adding / moving clean instances.
+	  continue;
+	}
+
 	fprintf($fd, "%-60s %-3s %-8s %s\n",
 		$view, $frame->line(), $state, $frame->expr());
       }
diff --git a/modules/gallery/views/l10n_client.html.php b/modules/gallery/views/l10n_client.html.php
index c73719ca..523552c3 100644
--- a/modules/gallery/views/l10n_client.html.php
+++ b/modules/gallery/views/l10n_client.html.php
@@ -69,8 +69,8 @@
     </div>
   </div>
   <script type="text/javascript">
-    var MSG_TRANSLATE_TEXT = "<?= t("Translate Text") ?>";
-    var MSG_CLOSE_X = "<?= t("X") ?>";
+    var MSG_TRANSLATE_TEXT = "<?= t("Translate Text")->for_js() ?>";
+    var MSG_CLOSE_X = "<?= t("X")->for_js() ?>";
     var l10n_client_data = <?= json_encode($string_list) ?>;
     var plural_forms = <?= json_encode($plural_forms) ?>;
   </script>
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index 56e568f6..fc426e8f 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -82,27 +82,26 @@
 
 <script type="text/javascript">
   var swfu = new SWFUpload({
-    flash_url: "<?= url::file("lib/swfupload/swfupload.swf") ?>",
-    upload_url: "<?= url::site("simple_uploader/add_photo/$item->id") ?>",
-    post_params: {
-      "g3sid": "<?= Session::instance()->id() ?>",
-      "user_agent": "<?= Input::instance()->server("HTTP_USER_AGENT") ?>",
-      "csrf": "<?= $csrf ?>"
-    },
-    file_size_limit: "<?= ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB" ?>",
+    flash_url: "<?= url::file("lib/swfupload/swfupload.swf")->for_js() ?>",
+    upload_url: "<?= url::site("simple_uploader/add_photo/$item->id")->for_js() ?>",
+    post_params: <?= json_encode(array(
+      "g3sid" => Session::instance()->id(),
+      "user_agent" => Input::instance()->server("HTTP_USER_AGENT"),
+      "csrf" => $csrf)) ?>,
+    file_size_limit: "<?= SafeString::of(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")->for_js() ?>",
     file_types: "*.gif;*.jpg;*.jpeg;*.png;*.flv;*.mp4;*.GIF;*.JPG;*.JPEG;*.PNG;*.FLV;*.MP4",
-    file_types_description: "<?= t("Photos and Movies") ?>",
+    file_types_description: "<?= t("Photos and Movies")->for_js() ?>",
     file_upload_limit: 1000,
     file_queue_limit: 0,
     custom_settings: { },
     debug: false,
 
     // Button settings
-    button_image_url: "<?= url::file("themes/default/images/select-photos-backg.png") ?>",
+    button_image_url: "<?= url::file("themes/default/images/select-photos-backg.png")->for_js() ?>",
     button_width: "202",
     button_height: "45",
     button_placeholder_id: "gChooseFilesButtonPlaceholder",
-    button_text: '<span class="swfUploadFont"><?= t("Select photos...") ?></span>',
+    button_text: <?= json_encode('<span class="swfUploadFont">' . t("Select photos...") . '</span>') ?>,
     button_text_style: ".swfUploadFont { color: #2E6E9E; font-size: 16px; font-family: Lucida Grande,Lucida Sans,Arial,sans-serif; font-weight: bold; }",
     button_text_left_padding: 30,
     button_text_top_padding: 10,
@@ -146,13 +145,13 @@
   function file_queued(file) {
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("pending", "<?= t("Pending...") ?>");
+    fp.set_status("pending", "<?= t("Pending...")->for_js() ?>");
     // @todo add cancel button to call this.cancelUpload(file.id)
   }
 
   function file_queue_error(file, error_code, message) {
     if (error_code === SWFUpload.QUEUE_ERROR.QUEUE_LIMIT_EXCEEDED) {
-      alert("<?= t("You have attempted to queue too many files.") ?>");
+      alert("<?= t("You have attempted to queue too many files.")->for_js() ?>");
       return;
     }
 
@@ -160,20 +159,20 @@
     switch (error_code) {
     case SWFUpload.QUEUE_ERROR.FILE_EXCEEDS_SIZE_LIMIT:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize"))) ?>");
+      fp.set_status("error", "<?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize")))->for_js() ?>");
       break;
     case SWFUpload.QUEUE_ERROR.ZERO_BYTE_FILE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Cannot upload empty files.") ?>");
+      fp.set_status("error", "<?= t("Cannot upload empty files.")->for_js() ?>");
       break;
     case SWFUpload.QUEUE_ERROR.INVALID_FILETYPE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Invalid file type.") ?>");
+      fp.set_status("error", "<?= t("Invalid file type.")->for_js() ?>");
       break;
     default:
       if (file !== null) {
         fp.title.html(file.name);
-        fp.set_status("error", "<?= t("Unknown error") ?>");
+        fp.set_status("error", "<?= t("Unknown error")->for_js() ?>");
       }
       break;
     }
@@ -194,7 +193,7 @@
     // no uploadProgress events are called (limitation in the Linux Flash VM).
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("uploading", "<?= t("Uploading...") ?>");
+    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
     $("#gAddPhotosCanvas").scrollTo(fp.box, 1000);
     return true;
     // @todo add cancel button to call this.cancelUpload(file.id)
@@ -203,7 +202,7 @@
   function upload_progress(file, bytes_loaded, bytes_total) {
     var percent = Math.ceil((bytes_loaded / bytes_total) * 100);
     var fp = new File_Progress(file);
-    fp.set_status("uploading", "<?= t("Uploading...") ?>");
+    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
     fp.progress_bar.css("visibility", "visible");
     fp.progress_bar.progressbar("value", percent);
   }
@@ -211,42 +210,42 @@
   function upload_success(file, serverData) {
     var fp = new File_Progress(file);
     fp.progress_bar.progressbar("value", 100);
-    fp.set_status("complete", "<?= t("Complete.") ?>");
+    fp.set_status("complete", "<?= t("Complete.")->for_js() ?>");
   }
 
   function upload_error(file, error_code, message) {
     var fp = new File_Progress(file);
     switch (error_code) {
     case SWFUpload.UPLOAD_ERROR.HTTP_ERROR:
-      fp.set_status("error", "<?= t("Upload error: ") ?>" + message);
+      fp.set_status("error", "<?= t("Upload error: ")->for_js() ?>" + message);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_FAILED:
-      fp.set_status("error", "<?= t("Upload failed") ?>");
+      fp.set_status("error", "<?= t("Upload failed")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.IO_ERROR:
-      fp.set_status("error", "<?= t("Server error") ?>");
+      fp.set_status("error", "<?= t("Server error")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.SECURITY_ERROR:
-      fp.set_status("error", "<?= t("Security error") ?>");
+      fp.set_status("error", "<?= t("Security error")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_LIMIT_EXCEEDED:
-      fp.set_status("error", "<?= t("Upload limit exceeded") ?>");
+      fp.set_status("error", "<?= t("Upload limit exceeded")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_VALIDATION_FAILED:
-      fp.set_status("error", "<?= t("Failed validation.  File skipped") ?>");
+      fp.set_status("error", "<?= t("Failed validation.  File skipped")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_CANCELLED:
       // If there aren't any files left (they were all cancelled) disable the cancel button
       if (this.getStats().files_queued === 0) {
         $("#gUploadCancel").hide();
       }
-      fp.set_status("error", "<?= t("Cancelled") ?>");
+      fp.set_status("error", "<?= t("Cancelled")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_STOPPED:
-      fp.set_status("error", "<?= t("Stopped") ?>");
+      fp.set_status("error", "<?= t("Stopped")->for_js() ?>");
       break;
     default:
-      fp.set_status("error", "<?= t("Unknown error: ") ?>" + error_code);
+      fp.set_status("error", "<?= t("Unknown error: ")->for_js() ?>" + error_code);
       break;
     }
   }
@@ -260,7 +259,7 @@
   }
 
   function get_completed_status_msg(stats) {
-    var msg = "<?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__")) ?>";
+    var msg = "<?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__"))->for_js() ?>";
     msg = msg.replace("__COMPLETED__", stats.successful_uploads);
     msg = msg.replace("__TOTAL__", stats.files_queued + stats.successful_uploads +
       stats.upload_errors + stats.upload_cancelled + stats.queue_errors);
@@ -269,7 +268,7 @@
 
   // This event comes from the Queue Plugin
   function queue_complete(num_files_uploaded) {
-    var status_msg = "<?= t("Uploaded: __COUNT__") ?>";
+    var status_msg = "<?= t("Uploaded: __COUNT__")->for_js() ?>";
     $("#gUploadStatus").html(status_msg.replace("__COUNT__", num_files_uploaded));
   }
 </script>
diff --git a/modules/organize/views/organize.html.php b/modules/organize/views/organize.html.php
index 1182a887..d2f0aa8c 100644
--- a/modules/organize/views/organize.html.php
+++ b/modules/organize/views/organize.html.php
@@ -1,16 +1,16 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <!-- ?= html::script("modules/organize/js/organize.js") ? -->
 <script>
-  var FATAL_ERROR = "<?= t("Fatal Error") ?>";
-  var PAUSE_BUTTON = "<?= t("Pause") ?>";
-  var RESUME_BUTTON = "<?= t("Resume") ?>";
-  var CANCEL_BUTTON = "<?= t("Cancel") ?>";
-  var INVALID_DROP_TARGET = "<div class=\"gError\"><?= t("Drop cancelled as it would result in a recursive move") ?></div>";
-var CONFIRM_DELETE = "<?= t("Do you really want to delete the selected albums and/or photos") ?>"
+  var FATAL_ERROR = "<?= t("Fatal Error")->for_js() ?>";
+  var PAUSE_BUTTON = "<?= t("Pause")->for_js() ?>";
+  var RESUME_BUTTON = "<?= t("Resume"->for_js()) ?>";
+  var CANCEL_BUTTON = "<?= t("Cancel")->for_js() ?>";
+  var INVALID_DROP_TARGET = "<div class=\"gError\"><?= t("Drop cancelled as it would result in a recursive move")->for_js() ?></div>";
+var CONFIRM_DELETE = "<?= t("Do you really want to delete the selected albums and/or photos")->for_js() ?>"
   var item_id = <?= $item->id ?>;
 
-  var csrf = "<?= $csrf ?>";
-  var rearrangeUrl = "<?= url::site("__URI__/__ITEM_ID____TASK_ID__?csrf=$csrf") ?>";
+  var csrf = <?= json_encode($csrf) ?>;
+  var rearrangeUrl = "<?= url::site("__URI__/__ITEM_ID____TASK_ID__?csrf=$csrf")->for_js() ?>";
   $("#doc3").ready(function() {
     organize_dialog_init();
   });
diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php
index d27f9260..61821428 100644
--- a/themes/admin_default/views/admin.html.php
+++ b/themes/admin_default/views/admin.html.php
@@ -23,7 +23,7 @@
    <?= $theme->script("gallery.common.js") ?>
    <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
    <script type="text/javascript">
-   var MSG_CANCEL = "<?= t('Cancel') ?>";
+   var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
    </script>
    <?= $theme->script("gallery.dialog.js") ?>
    <?= $theme->script("superfish/js/superfish.js") ?>
diff --git a/themes/default/views/movie.html.php b/themes/default/views/movie.html.php
index 1f25a626..75d51eff 100644
--- a/themes/default/views/movie.html.php
+++ b/themes/default/views/movie.html.php
@@ -20,7 +20,7 @@
   </div>
 
   <script type="text/javascript">
-    var ADD_A_COMMENT = "<?= t("Add a comment") ?>";
+    var ADD_A_COMMENT = "<?= t("Add a comment")->for_js() ?>";
   </script>
   <?= $theme->photo_bottom() ?>
 </div>
diff --git a/themes/default/views/page.html.php b/themes/default/views/page.html.php
index ea2be37b..8d9f0caa 100644
--- a/themes/default/views/page.html.php
+++ b/themes/default/views/page.html.php
@@ -51,7 +51,7 @@
     <?= $theme->script("gallery.common.js") ?>
     <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
     <script type="text/javascript">
-    var MSG_CANCEL = "<?= t('Cancel') ?>";
+    var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
     </script>
     <?= $theme->script("gallery.dialog.js") ?>
     <?= $theme->script("gallery.form.js") ?>
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 1f92e9ba..fcf597cf 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -5,7 +5,7 @@
 <script>
   $(document).ready(function() {
     $(".gFullSizeLink").click(function() {
-      show_full_size("<?= $theme->item()->file_url() ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
+      show_full_size("<?= $theme->item()->file_url()->for_js() ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
       return false;
     });
   });
@@ -55,7 +55,7 @@
   </div>
 
   <script type="text/javascript">
-    var ADD_A_COMMENT = "<?= t("Add a comment") ?>";
+    var ADD_A_COMMENT = "<?= t("Add a comment")->for_js() ?>";
   </script>
   <?= $theme->photo_bottom() ?>
 </div>
-- 
cgit v1.2.3


From b9bd1681a3b1496c0f1bbe5e6254ab4fd0c9fe30 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 22:54:20 -0700
Subject: Update all code to use helper method html::clean(), html::purify(),
 ... instead of SafeString directly.

---
 modules/comment/controllers/comments.php                   |  8 ++++----
 modules/comment/helpers/comment_rss.php                    |  8 ++++----
 modules/comment/views/admin_block_recent_comments.html.php |  6 +++---
 modules/comment/views/admin_comments.html.php              | 10 +++++-----
 modules/comment/views/comment.html.php                     |  6 +++---
 modules/comment/views/comment.mrss.php                     | 12 ++++++------
 modules/comment/views/comments.html.php                    |  6 +++---
 modules/digibug/controllers/digibug.php                    |  2 +-
 modules/exif/views/exif_dialog.html.php                    |  4 ++--
 modules/g2_import/helpers/g2_import.php                    |  2 +-
 modules/gallery/controllers/admin_advanced_settings.php    |  2 +-
 modules/gallery/controllers/quick.php                      | 10 +++++-----
 modules/gallery/helpers/MY_html.php                        |  4 ++--
 modules/gallery/helpers/gallery_rss.php                    |  4 ++--
 modules/gallery/helpers/gallery_task.php                   |  4 ++--
 modules/gallery/tests/Html_Helper_Test.php                 |  4 ++--
 modules/gallery/tests/Xss_Security_Test.php                |  4 ++--
 modules/gallery/views/admin_advanced_settings.html.php     |  6 +++---
 modules/gallery/views/admin_block_log_entries.html.php     |  2 +-
 modules/gallery/views/admin_block_photo_stream.html.php    |  4 ++--
 modules/gallery/views/admin_languages.html.php             |  4 ++--
 modules/gallery/views/admin_maintenance.html.php           |  4 ++--
 modules/gallery/views/admin_maintenance_show_log.html.php  |  2 +-
 modules/gallery/views/move_tree.html.php                   |  8 ++++----
 modules/gallery/views/permissions_browse.html.php          |  4 ++--
 modules/gallery/views/permissions_form.html.php            |  2 +-
 modules/gallery/views/simple_uploader.html.php             | 14 +++++++-------
 modules/info/views/info_block.html.php                     | 10 +++++-----
 modules/notification/views/comment_published.html.php      | 12 ++++++------
 modules/notification/views/item_added.html.php             |  8 ++++----
 modules/notification/views/item_deleted.html.php           |  6 +++---
 modules/notification/views/item_updated.html.php           | 12 ++++++------
 modules/organize/views/organize_dialog.html.php            |  2 +-
 modules/organize/views/organize_tree.html.php              |  6 +++---
 modules/rss/views/feed.mrss.php                            | 14 +++++++-------
 modules/rss/views/rss_block.html.php                       |  2 +-
 modules/search/views/search.html.php                       |  6 +++---
 modules/server_add/views/admin_server_add.html.php         |  2 +-
 modules/server_add/views/server_add_tree.html.php          |  4 ++--
 modules/server_add/views/server_add_tree_dialog.html.php   |  6 +++---
 modules/tag/controllers/admin_tags.php                     |  2 +-
 modules/tag/views/admin_tags.html.php                      |  6 +++---
 modules/tag/views/tag_cloud.html.php                       |  2 +-
 modules/user/controllers/logout.php                        |  2 +-
 modules/user/views/admin_users.html.php                    |  8 ++++----
 modules/user/views/admin_users_group.html.php              |  4 ++--
 modules/user/views/login.html.php                          |  2 +-
 themes/default/views/album.html.php                        |  6 +++---
 themes/default/views/dynamic.html.php                      |  4 ++--
 themes/default/views/header.html.php                       |  4 ++--
 themes/default/views/movie.html.php                        |  4 ++--
 themes/default/views/photo.html.php                        |  6 +++---
 52 files changed, 143 insertions(+), 143 deletions(-)

(limited to 'modules/gallery/views/simple_uploader.html.php')

diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php
index 87633f4c..82b12893 100644
--- a/modules/comment/controllers/comments.php
+++ b/modules/comment/controllers/comments.php
@@ -39,9 +39,9 @@ class Comments_Controller extends REST_Controller {
       foreach ($comments as $comment) {
         $data[] = array(
           "id" => $comment->id,
-          "author_name" => SafeString::of($comment->author_name()),
+          "author_name" => html::clean($comment->author_name()),
           "created" => $comment->created,
-          "text" => nl2br(SafeString::purify($comment->text)));
+          "text" => nl2br(html::purify($comment->text)));
       }
       print json_encode($data);
       break;
@@ -126,9 +126,9 @@ class Comments_Controller extends REST_Controller {
         array("result" => "success",
               "data" => array(
                 "id" => $comment->id,
-                "author_name" => SafeString::of($comment->author_name()),
+                "author_name" => html::clean($comment->author_name()),
                 "created" => $comment->created,
-                "text" => nl2br(SafeString::purify($comment->text)))));
+                "text" => nl2br(html::purify($comment->text)))));
     } else {
       $view = new Theme_View("comment.html", "fragment");
       $view->comment = $comment;
diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php
index 4151dcd0..b539887b 100644
--- a/modules/comment/helpers/comment_rss.php
+++ b/modules/comment/helpers/comment_rss.php
@@ -23,7 +23,7 @@ class comment_rss_Core {
     $feeds["comment/newest"] = t("All new comments");
     if ($item) {
       $feeds["comment/item/$item->id"] =
-        t("Comments on %title", array("title" => SafeString::purify($item->title)));
+        t("Comments on %title", array("title" => html::purify($item->title)));
     }
     return $feeds;
   }
@@ -49,13 +49,13 @@ class comment_rss_Core {
       $item = $comment->item();
       $feed->children[] = new ArrayObject(
         array("pub_date" => date("D, d M Y H:i:s T", $comment->created),
-              "text" => nl2br(SafeString::purify($comment->text)),
+              "text" => nl2br(html::purify($comment->text)),
               "thumb_url" => $item->thumb_url(),
               "thumb_height" => $item->thumb_height,
               "thumb_width" => $item->thumb_width,
               "item_uri" => url::abs_site("{$item->type}s/$item->id"),
-              "title" => SafeString::purify($item->title),
-              "author" => SafeString::of($comment->author_name())),
+              "title" => html::purify($item->title),
+              "author" => html::clean($comment->author_name())),
         ArrayObject::ARRAY_AS_PROPS);
     }
 
diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php
index 2c7a5cf1..dc3975e0 100644
--- a/modules/comment/views/admin_block_recent_comments.html.php
+++ b/modules/comment/views/admin_block_recent_comments.html.php
@@ -4,13 +4,13 @@
   <li class="<?= ($i % 2 == 0) ? "gEvenRow" : "gOddRow" ?>">
     <img src="<?= $comment->author()->avatar_url(32, $theme->url("images/avatar.jpg", true)) ?>"
          class="gAvatar"
-         alt="<?= SafeString::of($comment->author_name()) ?>"
+         alt="<?= html::clean($comment->author_name()) ?>"
          width="32"
          height="32" />
     <?= gallery::date_time($comment->created) ?>
     <?= t('<a href="#">%author_name</a> said <em>%comment_text</em>',
-          array("author_name" => SafeString::of($comment->author_name()),
-                "comment_text" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50))); ?>
+          array("author_name" => html::clean($comment->author_name()),
+                "comment_text" => text::limit_words(nl2br(html::purify($comment->text)), 50))); ?>
   </li>
   <? endforeach ?>
 </ul>
diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php
index 8b0b4c29..801ce2b3 100644
--- a/modules/comment/views/admin_comments.html.php
+++ b/modules/comment/views/admin_comments.html.php
@@ -108,12 +108,12 @@
         <a href="#">
           <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
                class="gAvatar"
-               alt="<?= SafeString::of($comment->author_name()) ?>"
+               alt="<?= html::clean($comment->author_name()) ?>"
                width="40"
                height="40" />
         </a>
-        <p><a href="mailto:<?= SafeString::of($comment->author_email()) ?>"
-              title="<?= SafeString::of($comment->author_email()) ?>"> <?= SafeString::of($comment->author_name()) ?> </a></p>
+        <p><a href="mailto:<?= html::clean($comment->author_email()) ?>"
+              title="<?= html::clean($comment->author_email()) ?>"> <?= html::clean($comment->author_name()) ?> </a></p>
       </td>
       <td>
         <div class="right">
@@ -122,7 +122,7 @@
             <a href="<?= $item->url() ?>">
               <? if ($item->has_thumb()): ?>
               <img src="<?= $item->thumb_url() ?>"
-                 alt="<?= SafeString::purify($item->title) ?>"
+                 alt="<?= html::purify($item->title) ?>"
                  <?= photo::img_dimensions($item->thumb_width, $item->thumb_height, 75) ?>
               />
               <? else: ?>
@@ -132,7 +132,7 @@
           </div>
         </div>
         <p><?= gallery::date($comment->created) ?></p>
-           <?= nl2br(SafeString::purify($comment->text)) ?>
+           <?= nl2br(html::purify($comment->text)) ?>
       </td>
       <td>
         <ul class="gButtonSetVertical">
diff --git a/modules/comment/views/comment.html.php b/modules/comment/views/comment.html.php
index 31bb7f4d..1d0786cb 100644
--- a/modules/comment/views/comment.html.php
+++ b/modules/comment/views/comment.html.php
@@ -4,15 +4,15 @@
     <a href="#">
       <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
            class="gAvatar"
-           alt="<?= SafeString::of($comment->author_name()) ?>"
+           alt="<?= html::clean($comment->author_name()) ?>"
            width="40"
            height="40" />
     </a>
     <?= t("on %date_time, %author_name said",
           array("date_time" => gallery::date_time($comment->created),
-                "author_name" => SafeString::of($comment->author_name()))) ?>
+                "author_name" => html::clean($comment->author_name()))) ?>
   </p>
   <div>
-  <?= nl2br(SafeString::purify($comment->text)) ?>
+  <?= nl2br(html::purify($comment->text)) ?>
   </div>
 </li>
diff --git a/modules/comment/views/comment.mrss.php b/modules/comment/views/comment.mrss.php
index ae7762d9..c2a4b538 100644
--- a/modules/comment/views/comment.mrss.php
+++ b/modules/comment/views/comment.mrss.php
@@ -6,9 +6,9 @@
    xmlns:fh="http://purl.org/syndication/history/1.0">
   <channel>
     <generator>Gallery 3</generator>
-    <title><?= SafeString::of($feed->title) ?></title>
+    <title><?= html::clean($feed->title) ?></title>
     <link><?= $feed->uri ?></link>
-    <description><?= SafeString::of($feed->description) ?></description>
+    <description><?= html::clean($feed->description) ?></description>
     <language>en-us</language>
     <atom:link rel="self" href="<?= $feed->uri ?>" type="application/rss+xml" />
     <fh:complete/>
@@ -22,14 +22,14 @@
     <lastBuildDate><?= $pub_date ?></lastBuildDate>
     <? foreach ($feed->children as $child): ?>
     <item>
-      <title><?= SafeString::purify($child->title) ?></title>
-      <link><?= SafeString::of($child->item_uri) ?></link>
-      <author><?= SafeString::of($child->author) ?></author>
+      <title><?= html::purify($child->title) ?></title>
+      <link><?= html::clean($child->item_uri) ?></link>
+      <author><?= html::clean($child->author) ?></author>
       <guid isPermaLink="true"><?= $child->item_uri ?></guid>
       <pubDate><?= $child->pub_date ?></pubDate>
       <content:encoded>
         <![CDATA[
-          <p><?= nl2br(SafeString::purify($child->text)) ?></p>
+          <p><?= nl2br(html::purify($child->text)) ?></p>
           <p>
             <img alt="" src="<?= $child->thumb_url ?>"
                  height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" />
diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php
index 9eac0502..1e45c946 100644
--- a/modules/comment/views/comments.html.php
+++ b/modules/comment/views/comments.html.php
@@ -18,16 +18,16 @@
       <a href="#">
         <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
              class="gAvatar"
-             alt="<?= SafeString::of($comment->author_name()) ?>"
+             alt="<?= html::clean($comment->author_name()) ?>"
              width="40"
              height="40" />
       </a>
       <?= t('on %date <a href="#">%name</a> said',
             array("date" => date("Y-M-d H:i:s", $comment->created),
-                  "name" => SafeString::of($comment->author_name()))); ?>
+                  "name" => html::clean($comment->author_name()))); ?>
     </p>
     <div>
-      <?= nl2br(SafeString::purify($comment->text)) ?>
+      <?= nl2br(html::purify($comment->text)) ?>
     </div>
   </li>
   <? endforeach ?>
diff --git a/modules/digibug/controllers/digibug.php b/modules/digibug/controllers/digibug.php
index 509a8b70..0939704b 100644
--- a/modules/digibug/controllers/digibug.php
+++ b/modules/digibug/controllers/digibug.php
@@ -50,7 +50,7 @@ class Digibug_Controller extends Controller {
       "image_width_1" => $item->width,
       "thumb_height_1" => $item->thumb_height,
       "thumb_width_1" => $item->thumb_width,
-      "title_1" => SafeString::purify($item->title));
+      "title_1" => html::purify($item->title));
 
     print $v;
   }
diff --git a/modules/exif/views/exif_dialog.html.php b/modules/exif/views/exif_dialog.html.php
index a981ca09..11d1e212 100644
--- a/modules/exif/views/exif_dialog.html.php
+++ b/modules/exif/views/exif_dialog.html.php
@@ -14,14 +14,14 @@
          <?= $details[$i]["caption"] ?>
          </td>
          <td class="gOdd">
-         <?= SafeString::of($details[$i]["value"]) ?>
+         <?= html::clean($details[$i]["value"]) ?>
          </td>
          <? if (!empty($details[++$i])): ?>
            <td class="gEven">
            <?= $details[$i]["caption"] ?>
            </td>
            <td class="gOdd">
-           <?= SafeString::of($details[$i]["value"]) ?>
+           <?= html::clean($details[$i]["value"]) ?>
            </td>
          <? else: ?>
            <td class="gEven"></td><td class="gOdd"></td>
diff --git a/modules/g2_import/helpers/g2_import.php b/modules/g2_import/helpers/g2_import.php
index a01ca1db..7e5c6f75 100644
--- a/modules/g2_import/helpers/g2_import.php
+++ b/modules/g2_import/helpers/g2_import.php
@@ -590,7 +590,7 @@ class g2_import_Core {
     self::map($g2_comment->getId(), $comment->id);
     return t("Imported comment '%comment' for item with id: %id",
              array("id" => $comment->item_id,
-                   "comment" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50)));
+                   "comment" => text::limit_words(nl2br(html::purify($comment->text)), 50)));
   }
 
   /**
diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php
index d727b654..43c77340 100644
--- a/modules/gallery/controllers/admin_advanced_settings.php
+++ b/modules/gallery/controllers/admin_advanced_settings.php
@@ -46,7 +46,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller {
     module::set_var($module_name, $var_name, Input::instance()->post("value"));
     message::success(
       t("Saved value for %var (%module_name)",
-        array("var" => SafeString::of($var_name), "module_name" => $module_name)));
+        array("var" => html::clean($var_name), "module_name" => $module_name)));
 
     print json_encode(array("result" => "success"));
   }
diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php
index 8fddb563..20731f9c 100644
--- a/modules/gallery/controllers/quick.php
+++ b/modules/gallery/controllers/quick.php
@@ -75,7 +75,7 @@ class Quick_Controller extends Controller {
     access::required("view", $item->parent());
     access::required("edit", $item->parent());
 
-    $msg = t("Made <b>%title</b> this album's cover", array("title" => SafeString::purify($item->title)));
+    $msg = t("Made <b>%title</b> this album's cover", array("title" => html::purify($item->title)));
 
     item::make_album_cover($item);
     message::success($msg);
@@ -91,10 +91,10 @@ class Quick_Controller extends Controller {
     if ($item->is_album()) {
       print t(
         "Delete the album <b>%title</b>? All photos and movies in the album will also be deleted.",
-        array("title" => SafeString::purify($item->title)));
+        array("title" => html::purify($item->title)));
     } else {
       print t("Are you sure you want to delete <b>%title</b>?",
-              array("title" => SafeString::purify($item->title)));
+              array("title" => html::purify($item->title)));
     }
 
     $form = item::get_delete_form($item);
@@ -108,9 +108,9 @@ class Quick_Controller extends Controller {
     access::required("edit", $item);
 
     if ($item->is_album()) {
-      $msg = t("Deleted album <b>%title</b>", array("title" => SafeString::purify($item->title)));
+      $msg = t("Deleted album <b>%title</b>", array("title" => html::purify($item->title)));
     } else {
-      $msg = t("Deleted photo <b>%title</b>", array("title" => SafeString::purify($item->title)));
+      $msg = t("Deleted photo <b>%title</b>", array("title" => html::purify($item->title)));
     }
 
     $parent = $item->parent();
diff --git a/modules/gallery/helpers/MY_html.php b/modules/gallery/helpers/MY_html.php
index eb388811..75114898 100644
--- a/modules/gallery/helpers/MY_html.php
+++ b/modules/gallery/helpers/MY_html.php
@@ -65,11 +65,11 @@ class html extends html_Core {
    *
    * Example:<pre>
    *   <script type="text/javascript>"
-   *     var some_js_var = "<?= html::escape_for_js($php_var) ?>";
+   *     var some_js_var = "<?= html::clean_js($php_var) ?>";
    *   </script>
    * </pre>
    */
-  static function escape_for_js($string) {
+  static function clean_js($string) {
     return SafeString::of($string)->for_js();
   }
 
diff --git a/modules/gallery/helpers/gallery_rss.php b/modules/gallery/helpers/gallery_rss.php
index affb3101..dee6ae40 100644
--- a/modules/gallery/helpers/gallery_rss.php
+++ b/modules/gallery/helpers/gallery_rss.php
@@ -53,9 +53,9 @@ class gallery_rss_Core {
         ->descendants($limit, $offset, array("type" => "photo"));
       $feed->max_pages = ceil(
         $item->viewable()->descendants_count(array("type" => "photo")) / $limit);
-      $feed->title = SafeString::purify($item->title);
+      $feed->title = html::purify($item->title);
       $feed->link = url::abs_site("albums/{$item->id}");
-      $feed->description = nl2br(SafeString::purify($item->description));
+      $feed->description = nl2br(html::purify($item->description));
 
       return $feed;
     }
diff --git a/modules/gallery/helpers/gallery_task.php b/modules/gallery/helpers/gallery_task.php
index 8c0e8aa8..c9557324 100644
--- a/modules/gallery/helpers/gallery_task.php
+++ b/modules/gallery/helpers/gallery_task.php
@@ -64,10 +64,10 @@ class gallery_task_Core {
           if (!$success) {
             $ignored[$item->id] = 1;
             $errors[] = t("Unable to rebuild images for '%title'",
-                          array("title" => SafeString::purify($item->title)));
+                          array("title" => html::purify($item->title)));
           } else {
             $errors[] = t("Successfully rebuilt images for '%title'",
-                          array("title" => SafeString::purify($item->title)));
+                          array("title" => html::purify($item->title)));
           }
         }
 
diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php
index 4d934ad5..a9903256 100644
--- a/modules/gallery/tests/Html_Helper_Test.php
+++ b/modules/gallery/tests/Html_Helper_Test.php
@@ -40,8 +40,8 @@ class Html_Helper_Test extends Unit_Test_Case {
 			$safe_string_2);
   }
 
-  public function escape_for_js_test() {
-    $string = html::escape_for_js("hello's <p  >world</p>");
+  public function clean_js_test() {
+    $string = html::clean_js("hello's <p  >world</p>");
     $this->assert_equal("hello\\'s <p  >world<\\/p>",
 			$string);
   }
diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index 8e5f8354..16e5a856 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -151,7 +151,7 @@ class Xss_Security_Test extends Unit_Test_Case {
 	    if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
 		self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
 		in_array($tokens[$token_number + 2][1],
-			 array("clean", "purify", "escape_for_js", "clean_attribute_test")) &&
+			 array("clean", "purify", "clean_js", "clean_attribute")) &&
 		self::_token_matches("(", $tokens, $token_number + 3)) {
               // Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed).
 
@@ -161,7 +161,7 @@ class Xss_Security_Test extends Unit_Test_Case {
 	      $token_number += 3;
 	      $token = $tokens[$token_number];
 
-              if ("escape_for_js" == $method) {
+              if ("clean_js" == $method) {
                 $frame->is_safe_js(true);
               } else {
                 $frame->is_safe_html(true);
diff --git a/modules/gallery/views/admin_advanced_settings.html.php b/modules/gallery/views/admin_advanced_settings.html.php
index adc15b91..4235e8f8 100644
--- a/modules/gallery/views/admin_advanced_settings.html.php
+++ b/modules/gallery/views/admin_advanced_settings.html.php
@@ -20,13 +20,13 @@
     <? if ($var->module_name == "gallery" && $var->name == "_cache") continue ?>
     <tr class="setting">
       <td> <?= $var->module_name ?> </td>
-      <td> <?= SafeString::of($var->name) ?> </td>
+      <td> <?= html::clean($var->name) ?> </td>
       <td>
-        <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . SafeString::of($var->name)) ?>"
+        <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . html::clean($var->name)) ?>"
           class="gDialogLink"
           title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name)) ?>">
           <? if ($var->value): ?>
-          <?= SafeString::of($var->value) ?>
+          <?= html::clean($var->value) ?>
           <? else: ?>
           <i> <?= t("empty") ?> </i>
           <? endif ?>
diff --git a/modules/gallery/views/admin_block_log_entries.html.php b/modules/gallery/views/admin_block_log_entries.html.php
index b7afb22d..780ff2d0 100644
--- a/modules/gallery/views/admin_block_log_entries.html.php
+++ b/modules/gallery/views/admin_block_log_entries.html.php
@@ -2,7 +2,7 @@
 <ul>
   <? foreach ($entries as $entry): ?>
   <li class="<?= log::severity_class($entry->severity) ?>" style="direction: ltr">
-    <a href="<?= url::site("user/$entry->user_id") ?>"><?= SafeString::of($entry->user->name) ?></a>
+    <a href="<?= url::site("user/$entry->user_id") ?>"><?= html::clean($entry->user->name) ?></a>
     <?= gallery::date_time($entry->timestamp) ?>
     <?= $entry->message ?>
     <?= $entry->html ?>
diff --git a/modules/gallery/views/admin_block_photo_stream.html.php b/modules/gallery/views/admin_block_photo_stream.html.php
index 732bdc38..a50836ad 100644
--- a/modules/gallery/views/admin_block_photo_stream.html.php
+++ b/modules/gallery/views/admin_block_photo_stream.html.php
@@ -2,9 +2,9 @@
 <ul>
 <? foreach ($photos as $photo): ?>
   <li class="gItem gPhoto">
-    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= SafeString::of($photo->title) ?>">
+    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::clean($photo->title) ?>">
       <img <?= photo::img_dimensions($photo->width, $photo->height, 72) ?>
-        src="<?= $photo->thumb_url() ?>" alt="<?= SafeString::of($photo->title) ?>" />
+        src="<?= $photo->thumb_url() ?>" alt="<?= html::clean($photo->title) ?>" />
     </a>
   </li>
 <? endforeach ?>
diff --git a/modules/gallery/views/admin_languages.html.php b/modules/gallery/views/admin_languages.html.php
index 4bee9bb1..052d749b 100644
--- a/modules/gallery/views/admin_languages.html.php
+++ b/modules/gallery/views/admin_languages.html.php
@@ -40,7 +40,7 @@
   </form>
 	
 	<script type="text/javascript">
-    var old_default_locale = "<?= SafeString::of($default_locale)->for_js() ?>";
+    var old_default_locale = "<?= html::escape_for_js($default_locale) ?>";
     
     $("input[name='installed_locales[]']").change(function (event) {
       if (this.checked) {
@@ -57,7 +57,7 @@
       dataType: "json",
       success: function(data) {
         if (data.result == "success") {
-          el = $('<a href="<?= url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")->for_js() ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
+          el = $('<a href="<?= html::escape_for_js(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
           el.gallery_dialog();
           el.trigger('click');
         }
diff --git a/modules/gallery/views/admin_maintenance.html.php b/modules/gallery/views/admin_maintenance.html.php
index a1f7b126..05bc0923 100644
--- a/modules/gallery/views/admin_maintenance.html.php
+++ b/modules/gallery/views/admin_maintenance.html.php
@@ -93,7 +93,7 @@
           <?= $task->status ?>
         </td>
         <td>
-          <?= SafeString::of($task->owner()->name) ?>
+          <?= html::clean($task->owner()->name) ?>
         </td>
         <td>
           <? if ($task->state == "stalled"): ?>
@@ -164,7 +164,7 @@
           <?= $task->status ?>
         </td>
         <td>
-          <?= SafeString::of($task->owner()->name) ?>
+          <?= html::clean($task->owner()->name) ?>
         </td>
         <td>
           <? if ($task->done): ?>
diff --git a/modules/gallery/views/admin_maintenance_show_log.html.php b/modules/gallery/views/admin_maintenance_show_log.html.php
index 209aef03..8ea1beb6 100644
--- a/modules/gallery/views/admin_maintenance_show_log.html.php
+++ b/modules/gallery/views/admin_maintenance_show_log.html.php
@@ -12,7 +12,7 @@ appendTo('body').submit().remove();
 <div id="gTaskLogDialog">
   <h1> <?= $task->name ?> </h1>
   <div class="gTaskLog">
-    <pre><?= SafeString::purify($task->get_log()) ?></pre>
+    <pre><?= html::purify($task->get_log()) ?></pre>
   </div>
   <button id="gCloseButton" class="ui-state-default ui-corner-all" onclick="dismiss()"><?= t("Close") ?></button>
   <button id="gSaveButton" class="ui-state-default ui-corner-all" onclick="download()"><?= t("Save") ?></button>
diff --git a/modules/gallery/views/move_tree.html.php b/modules/gallery/views/move_tree.html.php
index 7818a42a..623f80ee 100644
--- a/modules/gallery/views/move_tree.html.php
+++ b/modules/gallery/views/move_tree.html.php
@@ -1,18 +1,18 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <?= $parent->thumb_img(array(), 25); ?>
 <? if (!access::can("edit", $parent) || $source->is_descendant($parent)): ?>
-<a href="javascript:load_tree('<?= $parent->id ?>',1)"> <?= SafeString::of($parent->title) ?> <?= t("(locked)") ?> </a>
+<a href="javascript:load_tree('<?= $parent->id ?>',1)"> <?= html::clean($parent->title) ?> <?= t("(locked)") ?> </a>
 <? else: ?>
-<a href="javascript:load_tree('<?= $parent->id ?>',0)"> <?= SafeString::of($parent->title) ?></a>
+<a href="javascript:load_tree('<?= $parent->id ?>',0)"> <?= html::clean($parent->title) ?></a>
 <? endif ?>
 <ul id="tree_<?= $parent->id ?>">
   <? foreach ($children as $child): ?>
   <li id="node_<?= $child->id ?>" class="node">
     <?= $child->thumb_img(array(), 25); ?>
     <? if (!access::can("edit", $child) || $source->is_descendant($child)): ?>
-    <a href="javascript:load_tree('<?= $child->id ?>',1)"> <?= SafeString::of($child->title) ?> <?= t("(locked)") ?></a>
+    <a href="javascript:load_tree('<?= $child->id ?>',1)"> <?= html::clean($child->title) ?> <?= t("(locked)") ?></a>
     <? else: ?>
-    <a href="javascript:load_tree('<?= $child->id ?>',0)"> <?= SafeString::of($child->title) ?> </a>
+    <a href="javascript:load_tree('<?= $child->id ?>',0)"> <?= html::clean($child->title) ?> </a>
     <? endif ?>
   </li>
   <? endforeach ?>
diff --git a/modules/gallery/views/permissions_browse.html.php b/modules/gallery/views/permissions_browse.html.php
index 90970112..d9395b3f 100644
--- a/modules/gallery/views/permissions_browse.html.php
+++ b/modules/gallery/views/permissions_browse.html.php
@@ -39,13 +39,13 @@
     <? foreach ($parents as $parent): ?>
     <li id="item-<?= $parent->id ?>">
       <a href="javascript:show(<?= $parent->id ?>)">
-        <?= SafeString::purify($parent->title) ?>
+        <?= html::purify($parent->title) ?>
       </a>
     </li>
     <? endforeach ?>
     <li class="active" id="item-<?= $item->id ?>">
       <a href="javascript:show(<?= $item->id ?>)">
-    	<?= SafeString::purify($item->title) ?>
+    	<?= html::purify($item->title) ?>
       </a>
     </li>
   </ul>
diff --git a/modules/gallery/views/permissions_form.html.php b/modules/gallery/views/permissions_form.html.php
index adc0496f..e6b217c5 100644
--- a/modules/gallery/views/permissions_form.html.php
+++ b/modules/gallery/views/permissions_form.html.php
@@ -6,7 +6,7 @@
     <tr>
       <th> </th>
       <? foreach ($groups as $group): ?>
-      <th> <?= SafeString::of($group->name) ?> </th>
+      <th> <?= html::clean($group->name) ?> </th>
       <? endforeach ?>
     </tr>
 
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index 1f185780..b136972a 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -6,7 +6,7 @@
 <!-- hack to set the title for the dialog -->
 <form id="gAddPhotosForm" action="<?= url::site("simple_uploader/finish?csrf=$csrf") ?>">
   <fieldset>
-    <legend> <?= t("Add photos to %album_title", array("album_title" => SafeString::purify($item->title))) ?> </legend>
+    <legend> <?= t("Add photos to %album_title", array("album_title" => html::purify($item->title))) ?> </legend>
   </fieldset>
 </form>
 
@@ -26,9 +26,9 @@
   </p>
   <ul class="gBreadcrumbs">
     <? foreach ($item->parents() as $parent): ?>
-    <li> <?= SafeString::of($parent->title) ?> </li>
+    <li> <?= html::clean($parent->title) ?> </li>
     <? endforeach ?>
-    <li class="active"> <?= SafeString::purify($item->title) ?> </li>
+    <li class="active"> <?= html::purify($item->title) ?> </li>
   </ul>
 
   <p>
@@ -82,13 +82,13 @@
 
 <script type="text/javascript">
   var swfu = new SWFUpload({
-    flash_url: "<?= url::file("lib/swfupload/swfupload.swf")->for_js() ?>",
-    upload_url: "<?= url::site("simple_uploader/add_photo/$item->id")->for_js() ?>",
+    flash_url: "<?= html::escape_for_js(url::file("lib/swfupload/swfupload.swf")) ?>",
+    upload_url: "<?= html::escape_for_js(url::site("simple_uploader/add_photo/$item->id")) ?>",
     post_params: <?= json_encode(array(
       "g3sid" => Session::instance()->id(),
       "user_agent" => Input::instance()->server("HTTP_USER_AGENT"),
       "csrf" => $csrf)) ?>,
-    file_size_limit: "<?= SafeString::of(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")->for_js() ?>",
+    file_size_limit: "<?= html::escape_for_js(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")) ?>",
     file_types: "*.gif;*.jpg;*.jpeg;*.png;*.flv;*.mp4;*.GIF;*.JPG;*.JPEG;*.PNG;*.FLV;*.MP4",
     file_types_description: "<?= t("Photos and Movies")->for_js() ?>",
     file_upload_limit: 1000,
@@ -97,7 +97,7 @@
     debug: false,
 
     // Button settings
-    button_image_url: "<?= url::file("themes/default/images/select-photos-backg.png")->for_js() ?>",
+    button_image_url: "<?= html::escape_for_js(url::file("themes/default/images/select-photos-backg.png")) ?>",
     button_width: "202",
     button_height: "45",
     button_placeholder_id: "gChooseFilesButtonPlaceholder",
diff --git a/modules/info/views/info_block.html.php b/modules/info/views/info_block.html.php
index bfaaee99..d8f36984 100644
--- a/modules/info/views/info_block.html.php
+++ b/modules/info/views/info_block.html.php
@@ -2,18 +2,18 @@
 <ul class="gMetadata">
   <li>
     <strong class="caption"><?= t("Title:") ?></strong>
-    <?= SafeString::purify($item->title) ?>
+    <?= html::purify($item->title) ?>
   </li>
   <? if ($item->description): ?>
   <li>
     <strong class="caption"><?= t("Description:") ?></strong>
-     <?= nl2br(SafeString::purify($item->description)) ?>
+     <?= nl2br(html::purify($item->description)) ?>
   </li>
   <? endif ?>
   <? if (!$item->is_album()): ?>
   <li>
     <strong class="caption"><?= t("File name:") ?></strong>
-    <?= SafeString::of($item->name) ?>
+    <?= html::clean($item->name) ?>
   </li>
   <? endif ?>
   <? if ($item->captured): ?>
@@ -26,9 +26,9 @@
   <li>
     <strong class="caption"><?= t("Owner:") ?></strong>
     <? if ($item->owner->url): ?>
-    <a href="<?= $item->owner->url ?>"><?= SafeString::of($item->owner->display_name()) ?></a>
+    <a href="<?= $item->owner->url ?>"><?= html::clean($item->owner->display_name()) ?></a>
     <? else: ?>
-    <?= SafeString::of($item->owner->display_name()) ?>
+    <?= html::clean($item->owner->display_name()) ?>
     <? endif ?>
   </li>
   <? endif ?>
diff --git a/modules/notification/views/comment_published.html.php b/modules/notification/views/comment_published.html.php
index 02daf921..e39e39c6 100644
--- a/modules/notification/views/comment_published.html.php
+++ b/modules/notification/views/comment_published.html.php
@@ -1,26 +1,26 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= SafeString::of($subject) ?></h2>
+    <h2><?= html::clean($subject) ?></h2>
     <table>
       <tr>
         <td><?= t("Comment:") ?></td>
-  <td><?= nl2br(SafeString::purify($comment->text)) ?></td>
+  <td><?= nl2br(html::purify($comment->text)) ?></td>
       </tr>
       <tr>
         <td><?= t("Author Name:") ?></td>
-        <td><?= SafeString::of($comment->author_name()) ?></td>
+        <td><?= html::clean($comment->author_name()) ?></td>
       </tr>
       <tr>
         <td><?= t("Author Email:") ?></td>
-        <td><?= SafeString::of($comment->author_email()) ?></td>
+        <td><?= html::clean($comment->author_email()) ?></td>
       </tr>
       <tr>
         <td><?= t("Author URL:") ?></td>
-        <td><?= SafeString::of($comment->author_url()) ?></td>
+        <td><?= html::clean($comment->author_url()) ?></td>
       </tr>
       <tr>
         <td><?= t("Url:") ?></td>
diff --git a/modules/notification/views/item_added.html.php b/modules/notification/views/item_added.html.php
index 70b8fca4..f697fea6 100644
--- a/modules/notification/views/item_added.html.php
+++ b/modules/notification/views/item_added.html.php
@@ -1,14 +1,14 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= SafeString::of($subject) ?></h2>
+    <h2><?= html::clean($subject) ?></h2>
     <table>
       <tr>
         <td><?= t("Title:") ?></td>
-        <td><?= SafeString::purify($item->title) ?></td>
+        <td><?= html::purify($item->title) ?></td>
       </tr>
       <tr>
         <td><?= t("Url:") ?></td>
@@ -21,7 +21,7 @@
       <? if ($item->description): ?>
       <tr>
         <td><?= t("Description:") ?></td>
-         <td><?= nl2br(SafeString::purify($item->description)) ?></td>
+         <td><?= nl2br(html::purify($item->description)) ?></td>
       </tr>
       <? endif ?>
     </table>
diff --git a/modules/notification/views/item_deleted.html.php b/modules/notification/views/item_deleted.html.php
index e04fc71b..a51782ff 100644
--- a/modules/notification/views/item_deleted.html.php
+++ b/modules/notification/views/item_deleted.html.php
@@ -1,15 +1,15 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= SafeString::of($subject) ?></h2>
+    <h2><?= html::clean($subject) ?></h2>
     <table>
       <tr>
         <td colspan="2">
           <?= t("To view the changed album %title use the link below.",
-              array("title" => SafeString::purify($item->parent()->title))) ?>
+              array("title" => html::purify($item->parent()->title))) ?>
         </td>
       </tr>
       <tr>
diff --git a/modules/notification/views/item_updated.html.php b/modules/notification/views/item_updated.html.php
index c3a4f795..ba03540a 100644
--- a/modules/notification/views/item_updated.html.php
+++ b/modules/notification/views/item_updated.html.php
@@ -1,18 +1,18 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2> <?= SafeString::of($subject) ?> </h2>
+    <h2> <?= html::clean($subject) ?> </h2>
     <table>
       <tr>
         <? if ($item->original("title") != $item->title): ?>
         <td><?= t("New Title:") ?></td>
-        <td><?= SafeString::of($item->title) ?></td>
+        <td><?= html::clean($item->title) ?></td>
         <? else: ?>
         <td><?= t("Title:") ?></td>
-        <td><?= SafeString::of($item->title) ?></td>
+        <td><?= html::clean($item->title) ?></td>
         <? endif ?>
       </tr>
       <tr>
@@ -22,12 +22,12 @@
       <? if ($item->original("description") != $item->description): ?>
       <tr>
         <td><?= t("New Description:") ?></td>
-        <td><?= SafeString::of($item->description) ?></td>
+        <td><?= html::clean($item->description) ?></td>
       </tr>
       <? elseif (!empty($item->description)): ?>
       <tr>
         <td><?= t("Description:") ?></td>
-        <td><?= SafeString::of($item->description) ?></td>
+        <td><?= html::clean($item->description) ?></td>
       </tr>
       <? endif ?>
     </table>
diff --git a/modules/organize/views/organize_dialog.html.php b/modules/organize/views/organize_dialog.html.php
index 27d5b508..857499aa 100644
--- a/modules/organize/views/organize_dialog.html.php
+++ b/modules/organize/views/organize_dialog.html.php
@@ -5,7 +5,7 @@
   var sort_order_url = "<?= url::site("organize/sort_order/__ALBUM_ID__/__COL__/__DIR__?csrf=$csrf") ?>";
 </script>
 <div id="gOrganize" class="gDialogPanel">
-  <h1 style="display:none"><?= t("Organize %name", array("name" => SafeString::purify($album->title))) ?></h1>
+  <h1 style="display:none"><?= t("Organize %name", array("name" => html::purify($album->title))) ?></h1>
   <div id="bd">
     <div class="yui-gf">
       <div class="yui-u first">
diff --git a/modules/organize/views/organize_tree.html.php b/modules/organize/views/organize_tree.html.php
index 387d5977..5b676889 100644
--- a/modules/organize/views/organize_tree.html.php
+++ b/modules/organize/views/organize_tree.html.php
@@ -5,7 +5,7 @@
   <span class="ui-icon ui-icon-minus">
   </span>
   <span class="gAlbumText" ref="<?= $parent->id ?>">
-    <?= SafeString::of($parent->title) ?>
+    <?= html::clean($parent->title) ?>
   </span>
   <ul class="ui-icon-plus">
     <? endforeach ?>
@@ -17,7 +17,7 @@
       </span>
       <span class="gAlbumText <?= $peer->id == $album->id ? "selected" : "" ?>"
             ref="<?= $peer->id ?>">
-        <?= SafeString::of($peer->title) ?>
+        <?= html::clean($peer->title) ?>
       </span>
 
       <? if ($peer->id == $album->id): ?>
@@ -29,7 +29,7 @@
           </span>
           <span class="gAlbumText"
                 ref="<?= $child->id ?>">
-            <?= SafeString::of($child->title) ?>
+            <?= html::clean($child->title) ?>
           </span>
         </li>
         <? endforeach ?>
diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php
index 7298b7f4..731703c7 100644
--- a/modules/rss/views/feed.mrss.php
+++ b/modules/rss/views/feed.mrss.php
@@ -6,9 +6,9 @@
    xmlns:fh="http://purl.org/syndication/history/1.0">
   <channel>
     <generator>gallery3</generator>
-    <title><?= SafeString::of($feed->title) ?></title>
+    <title><?= html::clean($feed->title) ?></title>
     <link><?= $feed->uri ?></link>
-    <description><?= SafeString::of($feed->description) ?></description>
+    <description><?= html::clean($feed->description) ?></description>
     <language>en-us</language>
     <atom:link rel="self" href="<?= $feed->uri ?>" type="application/rss+xml" />
     <fh:complete/>
@@ -22,25 +22,25 @@
     <lastBuildDate><?= $pub_date ?></lastBuildDate>
     <? foreach ($feed->children as $child): ?>
     <item>
-      <title><?= SafeString::of($child->title) ?></title>
+      <title><?= html::clean($child->title) ?></title>
       <link><?= url::abs_site("{$child->type}s/{$child->id}") ?></link>
       <guid isPermaLink="true"><?= url::abs_site("{$child->type}s/{$child->id}") ?></guid>
       <pubDate><?= date("D, d M Y H:i:s T", $child->created); ?></pubDate>
       <content:encoded>
         <![CDATA[
-          <span><?= SafeString::of($child->description) ?></span>
+          <span><?= html::clean($child->description) ?></span>
           <p>
           <? if ($child->type == "photo" || $child->type == "album"): ?>
             <img alt="" src="<?= $child->resize_url(true) ?>"
-                 title="<?= SafeString::of($child->title) ?>"
+                 title="<?= html::clean($child->title) ?>"
                  height="<?= $child->resize_height ?>" width="<?= $child->resize_width ?>" /><br />
           <? else: ?>
             <a href="<?= url::abs_site("{$child->type}s/{$child->id}") ?>">
             <img alt="" src="<?= $child->thumb_url(true) ?>"
-                 title="<?= SafeString::of($child->title) ?>"
+                 title="<?= html::clean($child->title) ?>"
                  height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" /></a><br />
           <? endif ?>
-            <?= SafeString::of($child->description) ?>
+            <?= html::clean($child->description) ?>
           </p>
         ]]>
       </content:encoded>
diff --git a/modules/rss/views/rss_block.html.php b/modules/rss/views/rss_block.html.php
index cd8db89d..737731b6 100644
--- a/modules/rss/views/rss_block.html.php
+++ b/modules/rss/views/rss_block.html.php
@@ -5,7 +5,7 @@
     <span class="ui-icon-left">
     <a href="<?= rss::url($url) ?>">
       <span class="ui-icon ui-icon-signal-diag"></span>
-      <?= SafeString::purify($title) ?>
+      <?= html::purify($title) ?>
     </a>
     </span>
   </li>
diff --git a/modules/search/views/search.html.php b/modules/search/views/search.html.php
index e5c7b4a6..7963948d 100644
--- a/modules/search/views/search.html.php
+++ b/modules/search/views/search.html.php
@@ -8,7 +8,7 @@
     <ul>
       <li>
         <label for="q"><?= t("Search the gallery") ?></label>
-        <input name="q" id="q" type="text" value="<?= SafeString::of($q)->for_html_attr() ?>"/>
+        <input name="q" id="q" type="text" value="<?= html::clean_attribute($q) ?>"/>
       </li>
       <li>
         <input type="submit" value="<?= t("Search")->for_html_attr() ?>" />
@@ -31,10 +31,10 @@
       <a href="<?= url::site("items/$item->id") ?>">
         <?= $item->thumb_img() ?>
         <p>
-    <?= SafeString::purify($item->title) ?>
+    <?= html::purify($item->title) ?>
         </p>
         <div>
-    <?= nl2br(SafeString::purify($item->description)) ?>
+    <?= nl2br(html::purify($item->description)) ?>
         </div>
       </a>
     </li>
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index c4439bda..b48a19da 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -16,7 +16,7 @@
            class="gRemoveDir ui-icon ui-icon-trash">
           X
         </a>
-        <?= SafeString::of($path) ?>
+        <?= html::clean($path) ?>
       </li>
       <? endforeach ?>
     </ul>
diff --git a/modules/server_add/views/server_add_tree.html.php b/modules/server_add/views/server_add_tree.html.php
index 2f65a590..dbae42c5 100644
--- a/modules/server_add/views/server_add_tree.html.php
+++ b/modules/server_add/views/server_add_tree.html.php
@@ -10,7 +10,7 @@
     <li class="ui-icon-left">
       <span class="ui-icon ui-icon-folder-open"></span>
       <span ondblclick="open_dir('<?= $dir ?>')">
-        <?= SafeString::of(basename($dir)) ?>
+        <?= html::clean(basename($dir)) ?>
       </span>
       <ul>
         <? endforeach ?>
@@ -24,7 +24,7 @@
                 <? endif ?>
                 file="<?= strtr($file, array('"' => '\\"')) ?>"
                 >
-            <?= SafeString::of(basename($file)) ?>
+            <?= html::clean(basename($file)) ?>
           </span>
         </li>
         <? endforeach ?>
diff --git a/modules/server_add/views/server_add_tree_dialog.html.php b/modules/server_add/views/server_add_tree_dialog.html.php
index 912e69b6..8eb6e4df 100644
--- a/modules/server_add/views/server_add_tree_dialog.html.php
+++ b/modules/server_add/views/server_add_tree_dialog.html.php
@@ -5,17 +5,17 @@
 </script>
 
 <div id="gServerAdd">
-  <h1 style="display: none;"><?= t("Add Photos to '%title'", array("title" => SafeString::purify($item->title))) ?></h1>
+  <h1 style="display: none;"><?= t("Add Photos to '%title'", array("title" => html::purify($item->title))) ?></h1>
 
   <p id="gDescription"><?= t("Photos will be added to album:") ?></p>
   <ul class="gBreadcrumbs">
     <? foreach ($item->parents() as $parent): ?>
     <li>
-      <?= SafeString::purify($parent->title) ?>
+      <?= html::purify($parent->title) ?>
     </li>
     <? endforeach ?>
     <li class="active">
-      <?= SafeString::purify($item->title) ?>
+      <?= html::purify($item->title) ?>
     </li>
   </ul>
 
diff --git a/modules/tag/controllers/admin_tags.php b/modules/tag/controllers/admin_tags.php
index f1b4ca3a..8b8dde21 100644
--- a/modules/tag/controllers/admin_tags.php
+++ b/modules/tag/controllers/admin_tags.php
@@ -106,7 +106,7 @@ class Admin_Tags_Controller extends Admin_Controller {
         array("result" => "success",
               "location" => url::site("admin/tags"),
               "tag_id" => $tag->id,
-              "new_tagname" => SafeString::of($tag->name)));
+              "new_tagname" => html::clean($tag->name)));
     } else {
       print json_encode(
         array("result" => "error",
diff --git a/modules/tag/views/admin_tags.html.php b/modules/tag/views/admin_tags.html.php
index 30dd0728..3d805c5e 100644
--- a/modules/tag/views/admin_tags.html.php
+++ b/modules/tag/views/admin_tags.html.php
@@ -32,7 +32,7 @@
           <? $current_letter = strtoupper(mb_substr($tag->name, 0, 1)) ?>
 
           <? if ($i == 0): /* first letter */ ?>
-            <strong><?= SafeString::of($current_letter) ?></strong>
+            <strong><?= html::clean($current_letter) ?></strong>
             <ul>
           <? elseif ($last_letter != $current_letter): /* new letter */ ?>
             <? if ($column_tag_count > $tags_per_column): /* new column */ ?>
@@ -42,12 +42,12 @@
             <? endif ?>
 
             </ul>
-            <strong><?= SafeString::of($current_letter) ?></strong>
+            <strong><?= html::clean($current_letter) ?></strong>
             <ul>
           <? endif ?>
 
           <li>
-            <span id="gTag-<?= $tag->id ?>" class="gEditable tag-name"><?= SafeString::of($tag->name) ?></span>
+            <span id="gTag-<?= $tag->id ?>" class="gEditable tag-name"><?= html::clean($tag->name) ?></span>
             <span class="understate">(<?= $tag->count ?>)</span>
             <a href="<?= url::site("admin/tags/form_delete/$tag->id") ?>"
                class="gDialogLink delete-link gButtonLink">
diff --git a/modules/tag/views/tag_cloud.html.php b/modules/tag/views/tag_cloud.html.php
index b4c6ae34..d6a0b5f8 100644
--- a/modules/tag/views/tag_cloud.html.php
+++ b/modules/tag/views/tag_cloud.html.php
@@ -3,7 +3,7 @@
   <? foreach ($tags as $tag): ?>
   <li class="size<?=(int)(($tag->count / $max_count) * 7) ?>">
     <span><?= $tag->count ?> photos are tagged with </span>
-    <a href="<?= url::site("tags/$tag->id") ?>"><?= SafeString::of($tag->name) ?></a>
+    <a href="<?= url::site("tags/$tag->id") ?>"><?= html::clean($tag->name) ?></a>
   </li>
   <? endforeach ?>
 </ul>
diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php
index 4b141a1c..fc3ced56 100644
--- a/modules/user/controllers/logout.php
+++ b/modules/user/controllers/logout.php
@@ -24,7 +24,7 @@ class Logout_Controller extends Controller {
     $user = user::active();
     user::logout();
     log::info("user", t("User %name logged out", array("name" => $user->name)),
-              html::anchor("user/$user->id", SafeString::of($user->name)));
+              html::anchor("user/$user->id", html::clean($user->name)));
     if ($continue_url = $this->input->get("continue")) {
       $item = url::get_item_from_uri($continue_url);
       if (access::can("view", $item)) {
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 36c4f4fd..9455f9d9 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -68,16 +68,16 @@
         <td id="user-<?= $user->id ?>" class="core-info gDraggable">
           <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>"
                title="<?= t("Drag user onto group below to add as a new member") ?>"
-               alt="<?= SafeString::of($user->name) ?>"
+               alt="<?= html::clean($user->name) ?>"
                width="20"
                height="20" />
-          <?= SafeString::of($user->name) ?>
+          <?= html::clean($user->name) ?>
         </td>
         <td>
-          <?= SafeString::of($user->full_name) ?>
+          <?= html::clean($user->full_name) ?>
         </td>
         <td>
-          <?= SafeString::of($user->email) ?>
+          <?= html::clean($user->email) ?>
         </td>
         <td>
           <?= ($user->last_login == 0) ? "" : gallery::date($user->last_login) ?>
diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php
index f89a4392..8418ebc9 100644
--- a/modules/user/views/admin_users_group.html.php
+++ b/modules/user/views/admin_users_group.html.php
@@ -1,6 +1,6 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <h4>
-  <?= SafeString::of($group->name) ?>
+  <?= html::clean($group->name) ?>
   <? if (!$group->special): ?>
   <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
     title="<?= t("Delete the %name group", array("name" => $group->name)) ?>"
@@ -17,7 +17,7 @@
 <ul>
   <? foreach ($group->users as $i => $user): ?>
   <li class="gUser">
-    <?= SafeString::of($user->name) ?>
+    <?= html::clean($user->name) ?>
     <? if (!$group->special): ?>
     <a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)"
        class="gButtonLink ui-state-default ui-corner-all ui-icon-left"
diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php
index e92513e7..85f673ce 100644
--- a/modules/user/views/login.html.php
+++ b/modules/user/views/login.html.php
@@ -12,7 +12,7 @@
       '<a href="' . url::site("form/edit/users/{$user->id}") .
       '" title="' . t("Edit Your Profile")->for_html_attr() .
       '" id="gUserProfileLink" class="gDialogLink">' .
-      SafeString::of($user->display_name()) . '</a>'))) ?>
+      html::clean($user->display_name()) . '</a>'))) ?>
   </li>
   <li>
     <a href="<?= url::site("logout?csrf=$csrf&amp;continue=" . urlencode(url::current(true))) ?>"
diff --git a/themes/default/views/album.html.php b/themes/default/views/album.html.php
index 8c690f5f..caabeee3 100644
--- a/themes/default/views/album.html.php
+++ b/themes/default/views/album.html.php
@@ -2,8 +2,8 @@
 <? // @todo Set hover on AlbumGrid list items for guest users ?>
 <div id="gInfo">
   <?= $theme->album_top() ?>
-  <h1><?= SafeString::purify($item->title) ?></h1>
-  <div class="gDescription"><?= nl2br(SafeString::purify($item->description)) ?></div>
+  <h1><?= html::purify($item->title) ?></h1>
+  <div class="gDescription"><?= nl2br(html::purify($item->description)) ?></div>
 </div>
 
 <ul id="gAlbumGrid">
@@ -20,7 +20,7 @@
     </a>
     <?= $theme->thumb_bottom($child) ?>
     <?= $theme->context_menu($child, "#gItemId-{$child->id} .gThumbnail") ?>
-    <h2><span></span><a href="<?= $child->url() ?>"><?= SafeString::of($child->title) ?></a></h2>
+    <h2><span></span><a href="<?= $child->url() ?>"><?= html::clean($child->title) ?></a></h2>
     <ul class="gMetadata">
       <?= $theme->thumb_info($child) ?>
     </ul>
diff --git a/themes/default/views/dynamic.html.php b/themes/default/views/dynamic.html.php
index 2d8e04a2..9ed9d69b 100644
--- a/themes/default/views/dynamic.html.php
+++ b/themes/default/views/dynamic.html.php
@@ -3,7 +3,7 @@
   <div id="gAlbumHeaderButtons">
     <?= $theme->dynamic_top() ?>
   </div>
-  <h1><?= SafeString::of($title) ?></h1>
+  <h1><?= html::clean($title) ?></h1>
 </div>
 
 <ul id="gAlbumGrid">
@@ -16,7 +16,7 @@
            width="<?= $child->thumb_width ?>"
            height="<?= $child->thumb_height ?>" />
     </a>
-    <h2><?= SafeString::purify($child->title) ?></h2>
+    <h2><?= html::purify($child->title) ?></h2>
     <?= $theme->thumb_bottom($child) ?>
     <ul class="gMetadata">
       <?= $theme->thumb_info($child) ?>
diff --git a/themes/default/views/header.html.php b/themes/default/views/header.html.php
index 9e34401d..dcfa6fd8 100644
--- a/themes/default/views/header.html.php
+++ b/themes/default/views/header.html.php
@@ -19,10 +19,10 @@
   <? foreach ($parents as $parent): ?>
   <li>
     <a href="<?= url::site("albums/{$parent->id}?show=$item->id") ?>">
-      <?= SafeString::purify($parent->title) ?>
+      <?= html::purify($parent->title) ?>
     </a>
   </li>
   <? endforeach ?>
-  <li class="active"><?= SafeString::purify($item->title) ?></li>
+  <li class="active"><?= html::purify($item->title) ?></li>
 </ul>
 <? endif ?>
diff --git a/themes/default/views/movie.html.php b/themes/default/views/movie.html.php
index 237743b7..910814dd 100644
--- a/themes/default/views/movie.html.php
+++ b/themes/default/views/movie.html.php
@@ -28,8 +28,8 @@
   <?= $item->movie_img(array("class" => "gMovie", "id" => "gMovieId-{$item->id}")) ?>
 
   <div id="gInfo">
-    <h1><?= SafeString::purify($item->title) ?></h1>
-       <div><?= nl2br(SafeString::purify($item->description)) ?></div>
+    <h1><?= html::purify($item->title) ?></h1>
+       <div><?= nl2br(html::purify($item->description)) ?></div>
   </div>
 
   <?= $theme->photo_bottom() ?>
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 5b5cb12b..c601c4cc 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -5,7 +5,7 @@
 <script>
   $(document).ready(function() {
     $(".gFullSizeLink").click(function() {
-      $.gallery_show_full_size("<?= $theme->item()->file_url()->for_js() ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
+      $.gallery_show_full_size("<?= html::escape_for_js($theme->item()->file_url()) ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
       return false;
     });
   });
@@ -51,8 +51,8 @@
   </div>
 
   <div id="gInfo">
-    <h1><?= SafeString::purify($item->title) ?></h1>
-    <div><?= nl2br(SafeString::purify($item->description)) ?></div>
+    <h1><?= html::purify($item->title) ?></h1>
+    <div><?= nl2br(html::purify($item->description)) ?></div>
   </div>
 
   <?= $theme->photo_bottom() ?>
-- 
cgit v1.2.3


From d3b03026907b63e90d90cda1b9f777e0fbfe29b7 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 23:15:28 -0700
Subject: Minor cleanup

---
 modules/gallery/views/admin_languages.html.php | 4 ++--
 modules/gallery/views/simple_uploader.html.php | 8 ++++----
 themes/default/views/photo.html.php            | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

(limited to 'modules/gallery/views/simple_uploader.html.php')

diff --git a/modules/gallery/views/admin_languages.html.php b/modules/gallery/views/admin_languages.html.php
index 052d749b..ae2b3383 100644
--- a/modules/gallery/views/admin_languages.html.php
+++ b/modules/gallery/views/admin_languages.html.php
@@ -40,7 +40,7 @@
   </form>
 	
 	<script type="text/javascript">
-    var old_default_locale = "<?= html::escape_for_js($default_locale) ?>";
+    var old_default_locale = "<?= html::clean_js($default_locale) ?>";
     
     $("input[name='installed_locales[]']").change(function (event) {
       if (this.checked) {
@@ -57,7 +57,7 @@
       dataType: "json",
       success: function(data) {
         if (data.result == "success") {
-          el = $('<a href="<?= html::escape_for_js(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
+          el = $('<a href="<?= html::clean_js(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
           el.gallery_dialog();
           el.trigger('click');
         }
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index b136972a..b2d01ea7 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -82,13 +82,13 @@
 
 <script type="text/javascript">
   var swfu = new SWFUpload({
-    flash_url: "<?= html::escape_for_js(url::file("lib/swfupload/swfupload.swf")) ?>",
-    upload_url: "<?= html::escape_for_js(url::site("simple_uploader/add_photo/$item->id")) ?>",
+    flash_url: "<?= html::clean_js(url::file("lib/swfupload/swfupload.swf")) ?>",
+    upload_url: "<?= html::clean_js(url::site("simple_uploader/add_photo/$item->id")) ?>",
     post_params: <?= json_encode(array(
       "g3sid" => Session::instance()->id(),
       "user_agent" => Input::instance()->server("HTTP_USER_AGENT"),
       "csrf" => $csrf)) ?>,
-    file_size_limit: "<?= html::escape_for_js(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")) ?>",
+    file_size_limit: "<?= html::clean_js(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")) ?>",
     file_types: "*.gif;*.jpg;*.jpeg;*.png;*.flv;*.mp4;*.GIF;*.JPG;*.JPEG;*.PNG;*.FLV;*.MP4",
     file_types_description: "<?= t("Photos and Movies")->for_js() ?>",
     file_upload_limit: 1000,
@@ -97,7 +97,7 @@
     debug: false,
 
     // Button settings
-    button_image_url: "<?= html::escape_for_js(url::file("themes/default/images/select-photos-backg.png")) ?>",
+    button_image_url: "<?= html::clean_js(url::file("themes/default/images/select-photos-backg.png")) ?>",
     button_width: "202",
     button_height: "45",
     button_placeholder_id: "gChooseFilesButtonPlaceholder",
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index c601c4cc..00e157ce 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -5,7 +5,7 @@
 <script>
   $(document).ready(function() {
     $(".gFullSizeLink").click(function() {
-      $.gallery_show_full_size("<?= html::escape_for_js($theme->item()->file_url()) ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
+      $.gallery_show_full_size("<?= html::clean_js($theme->item()->file_url()) ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
       return false;
     });
   });
-- 
cgit v1.2.3


From 52b542b25353419d2895ecd6dd23cddf3b5dfe3d Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sun, 30 Aug 2009 06:55:24 -0700
Subject: Fixing typo

---
 modules/gallery/views/simple_uploader.html.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/gallery/views/simple_uploader.html.php')

diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index b2d01ea7..ccb166fc 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -88,7 +88,7 @@
       "g3sid" => Session::instance()->id(),
       "user_agent" => Input::instance()->server("HTTP_USER_AGENT"),
       "csrf" => $csrf)) ?>,
-    file_size_limit: "<?= html::clean_js(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")) ?>",
+    file_size_limit: "<?= html::clean_js(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB") ?>",
     file_types: "*.gif;*.jpg;*.jpeg;*.png;*.flv;*.mp4;*.GIF;*.JPG;*.JPEG;*.PNG;*.FLV;*.MP4",
     file_types_description: "<?= t("Photos and Movies")->for_js() ?>",
     file_upload_limit: 1000,
-- 
cgit v1.2.3


From 00c73ec852c29c214d72193ce368bc12a7305794 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sun, 30 Aug 2009 15:34:46 -0700
Subject: Updating uses of html::js_string and SafeString::for_js (value now
 contains string delimiters)

---
 modules/gallery/views/admin_languages.html.php    | 86 +++++++++++------------
 modules/gallery/views/l10n_client.html.php        | 10 +--
 modules/gallery/views/permissions_browse.html.php | 17 ++---
 modules/gallery/views/simple_uploader.html.php    | 50 ++++++-------
 themes/admin_default/views/admin.html.php         |  2 +-
 themes/default/views/page.html.php                |  4 +-
 themes/default/views/photo.html.php               |  2 +-
 7 files changed, 85 insertions(+), 86 deletions(-)

(limited to 'modules/gallery/views/simple_uploader.html.php')

diff --git a/modules/gallery/views/admin_languages.html.php b/modules/gallery/views/admin_languages.html.php
index ae2b3383..fa97d299 100644
--- a/modules/gallery/views/admin_languages.html.php
+++ b/modules/gallery/views/admin_languages.html.php
@@ -11,12 +11,11 @@
       <tr>
         <th> <?= t("Installed") ?> </th>
         <th> <?= t("Language") ?> </th>
-				<th> <?= t("Default language") ?> </th>
+        <th> <?= t("Default language") ?> </th>
       </tr>
       <? $i = 0 ?>
       <? foreach ($available_locales as $code => $display_name):  ?>
-			
-			<? if ($i == (count($available_locales)/2)): ?>
+      <? if ($i == (count($available_locales)/2)): ?>
       <table>
         <tr>
           <th> <?= t("Installed") ?> </th>
@@ -24,24 +23,24 @@
           <th> <?= t("Default language") ?> </th>
         </tr>
       <? endif ?>
-			
+
       <tr class="<?= (isset($installed_locales[$code])) ? "installed" : "" ?><?= ($default_locale == $code) ? " default" : "" ?>">
         <td> <?= form::checkbox("installed_locales[]", $code, isset($installed_locales[$code])) ?> </td>
-				<td> <?= $display_name ?> </td>
-				<td>
-					<?= form::radio("default_locale", $code, ($default_locale == $code), ((isset($installed_locales[$code]))?'':'disabled="disabled"') ) ?>
-				</td>
+        <td> <?= $display_name ?> </td>
+        <td>
+        <?= form::radio("default_locale", $code, ($default_locale == $code), ((isset($installed_locales[$code]))?'':'disabled="disabled"') ) ?>
+        </td>
       </tr>
       <? $i++ ?>
-			
+
       <? endforeach ?>
     </table>
-		<input type="submit" value="<?= t("Update languages")->for_html_attr() ?>" />
+    <input type="submit" value="<?= t("Update languages")->for_html_attr() ?>" />
   </form>
-	
-	<script type="text/javascript">
-    var old_default_locale = "<?= html::clean_js($default_locale) ?>";
-    
+
+  <script type="text/javascript">
+    var old_default_locale = <?= html::js_string($default_locale) ?>;
+
     $("input[name='installed_locales[]']").change(function (event) {
       if (this.checked) {
         $("input[type='radio'][value='" + this.value + "']").enable();
@@ -57,7 +56,7 @@
       dataType: "json",
       success: function(data) {
         if (data.result == "success") {
-          el = $('<a href="<?= html::clean_js(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
+          el = $('<a href="' + <?= html::js_string(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?> + '"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
           el.gallery_dialog();
           el.trigger('click');
         }
@@ -68,38 +67,37 @@
 
 <div id="gTranslations">
   <h1> <?= t("Translations") ?> </h1>
-	<p>
+  <p>
     <?= t("Create your own translations and share them with the rest of the Gallery community.") ?>
   </p>
-	
-	<h3><?= t("Translating Gallery") ?></h3>
-	
-	<div class="gBlock">
-		<a href="http://codex.gallery2.org/Gallery3:Localization" target="_blank"
-		  class="gDocLink ui-state-default ui-corner-all ui-icon ui-icon-help"
-			title="<?= t("Localization documentation")->for_html_attr() ?>">
+
+  <h3><?= t("Translating Gallery") ?></h3>
+
+  <div class="gBlock">
+    <a href="http://codex.gallery2.org/Gallery3:Localization" target="_blank"
+       class="gDocLink ui-state-default ui-corner-all ui-icon ui-icon-help"
+       title="<?= t("Localization documentation")->for_html_attr() ?>">
       <?= t("Localization documentation") ?>
     </a>
-		
-		<p><?= t("<strong>Step 1:</strong> Make sure the target language is installed and up to date (check above).") ?></p>
-		
-      <p><?= t("<strong>Step 2:</strong> Make sure you have selected the right  target language (currently %default_locale).",
-               array("default_locale" => locales::display_name())) ?></p>
-		
-		<p><?= t("<strong>Step 3:</strong> Start the translation mode and the translation interface will appear at the bottom of each Gallery page.") ?></p>
-		
-		<a href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>"
-		  class="gButtonLink ui-state-default ui-corner-all ui-icon-left">
-		  <span class="ui-icon ui-icon-power"></span>
-                  <? if (Session::instance()->get("l10n_mode", false)): ?>
-                  <?= t("Stop translation mode") ?>
-                  <? else: ?>
-                  <?= t("Start translation mode") ?>
-                  <? endif ?>
-	  </a>
-	</div>
-	
-	<h3>Sharing your translations</h3>
-	
+
+    <p><?= t("<strong>Step 1:</strong> Make sure the target language is installed and up to date (check above).") ?></p>
+
+    <p><?= t("<strong>Step 2:</strong> Make sure you have selected the right  target language (currently %default_locale).",
+             array("default_locale" => locales::display_name())) ?></p>
+
+    <p><?= t("<strong>Step 3:</strong> Start the translation mode and the translation interface will appear at the bottom of each Gallery page.") ?></p>
+
+    <a href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>"
+       class="gButtonLink ui-state-default ui-corner-all ui-icon-left">
+      <span class="ui-icon ui-icon-power"></span>
+      <? if (Session::instance()->get("l10n_mode", false)): ?>
+      <?= t("Stop translation mode") ?>
+      <? else: ?>
+      <?= t("Start translation mode") ?>
+      <? endif ?>
+   </a>
+</div>
+
+<h3>Sharing your translations</h3>
   <?= $share_translations_form ?>
 </div>
diff --git a/modules/gallery/views/l10n_client.html.php b/modules/gallery/views/l10n_client.html.php
index 520fd79e..aca1e654 100644
--- a/modules/gallery/views/l10n_client.html.php
+++ b/modules/gallery/views/l10n_client.html.php
@@ -2,9 +2,9 @@
 <div id="l10n-client" class="hidden">
   <div class="labels">
     <span id="l10n-client-toggler">
-    	<a id="gMinimizeL10n">_</a>
-			<a id="gCloseL10n" href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>">X</a>
-	  </span>
+      <a id="gMinimizeL10n">_</a>
+      <a id="gCloseL10n" href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>">X</a>
+    </span>
     <div class="label strings"><h2><?= t("Page Text") ?>
     <? if (!Input::instance()->get('show_all_l10n_messages')): ?>
       <a style="background-color:#fff" href="<?= url::site("admin/languages?show_all_l10n_messages=1") ?>"><?= t("(Show All)") ?></a>
@@ -72,8 +72,8 @@
     </div>
   </div>
   <script type="text/javascript">
-    var MSG_TRANSLATE_TEXT = "<?= t("Translate Text")->for_js() ?>";
-    var MSG_CLOSE_X = "<?= t("X")->for_js() ?>";
+    var MSG_TRANSLATE_TEXT = <?= t("Translate Text")->for_js() ?>;
+    var MSG_CLOSE_X = <?= t("X")->for_js() ?>;
     var l10n_client_data = <?= json_encode($string_list) ?>;
     var plural_forms = <?= json_encode($plural_forms) ?>;
   </script>
diff --git a/modules/gallery/views/permissions_browse.html.php b/modules/gallery/views/permissions_browse.html.php
index d9395b3f..231daa04 100644
--- a/modules/gallery/views/permissions_browse.html.php
+++ b/modules/gallery/views/permissions_browse.html.php
@@ -5,9 +5,9 @@
     $.ajax({
       url: form_url.replace("__ITEM__", id),
       success: function(data) {
-		    $("#gEditPermissionForm").html(data);
-		    $(".active").removeClass("active");
-		    $("#item-" + id).addClass("active");
+          $("#gEditPermissionForm").html(data);
+          $(".active").removeClass("active");
+          $("#item-" + id).addClass("active");
       }
     });
   }
@@ -28,13 +28,14 @@
   <? if (!$htaccess_works): ?>
   <ul id="gMessage">
     <li class="gError">
-      <?= t("Oh no!  Your server needs a configuration change in order for you to hide photos!  Ask your server administrator to enable <a %mod_rewrite_attrs>mod_rewrite</a> and set <a %apache_attrs><i>AllowOverride FileInfo Options</i></a> to fix this.", array("mod_rewrite_attrs" => "href=\"http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html\" target=\"_blank\"", "apache_attrs" => "href=\"http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride\" target=\"_blank\"")) ?>
+      <?= t("Oh no!  Your server needs a configuration change in order for you to hide photos!  Ask your server administrator to enable <a %mod_rewrite_attrs>mod_rewrite</a> and set <a %apache_attrs><i>AllowOverride FileInfo Options</i></a> to fix this.",
+            array("mod_rewrite_attrs" => html::mark_safe("href=\"http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html\" target=\"_blank\"", "apache_attrs" => "href=\"http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride\" target=\"_blank\""))) ?>
     </li>
   </ul>
   <? endif ?>
-  
+
   <p><?= t("Edit permissions for album:") ?></p>
-  
+
   <ul class="gBreadcrumbs">
     <? foreach ($parents as $parent): ?>
     <li id="item-<?= $parent->id ?>">
@@ -45,11 +46,11 @@
     <? endforeach ?>
     <li class="active" id="item-<?= $item->id ?>">
       <a href="javascript:show(<?= $item->id ?>)">
-    	<?= html::purify($item->title) ?>
+        <?= html::purify($item->title) ?>
       </a>
     </li>
   </ul>
-  
+
   <div id="gEditPermissionForm">
     <?= $form ?>
   </div>
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index ccb166fc..9cf554ec 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -82,22 +82,22 @@
 
 <script type="text/javascript">
   var swfu = new SWFUpload({
-    flash_url: "<?= html::clean_js(url::file("lib/swfupload/swfupload.swf")) ?>",
-    upload_url: "<?= html::clean_js(url::site("simple_uploader/add_photo/$item->id")) ?>",
+    flash_url: <?= html::js_string(url::file("lib/swfupload/swfupload.swf")) ?>,
+    upload_url: <?= html::js_string(url::site("simple_uploader/add_photo/$item->id")) ?>,
     post_params: <?= json_encode(array(
       "g3sid" => Session::instance()->id(),
       "user_agent" => Input::instance()->server("HTTP_USER_AGENT"),
       "csrf" => $csrf)) ?>,
-    file_size_limit: "<?= html::clean_js(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB") ?>",
+    file_size_limit: <?= html::js_string(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB") ?>,
     file_types: "*.gif;*.jpg;*.jpeg;*.png;*.flv;*.mp4;*.GIF;*.JPG;*.JPEG;*.PNG;*.FLV;*.MP4",
-    file_types_description: "<?= t("Photos and Movies")->for_js() ?>",
+    file_types_description: <?= t("Photos and Movies")->for_js() ?>,
     file_upload_limit: 1000,
     file_queue_limit: 0,
     custom_settings: { },
     debug: false,
 
     // Button settings
-    button_image_url: "<?= html::clean_js(url::file("themes/default/images/select-photos-backg.png")) ?>",
+    button_image_url: <?= html::js_string(url::file("themes/default/images/select-photos-backg.png")) ?>,
     button_width: "202",
     button_height: "45",
     button_placeholder_id: "gChooseFilesButtonPlaceholder",
@@ -145,13 +145,13 @@
   function file_queued(file) {
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("pending", "<?= t("Pending...")->for_js() ?>");
+    fp.set_status("pending", <?= t("Pending...")->for_js() ?>);
     // @todo add cancel button to call this.cancelUpload(file.id)
   }
 
   function file_queue_error(file, error_code, message) {
     if (error_code === SWFUpload.QUEUE_ERROR.QUEUE_LIMIT_EXCEEDED) {
-      alert("<?= t("You have attempted to queue too many files.")->for_js() ?>");
+      alert(<?= t("You have attempted to queue too many files.")->for_js() ?>);
       return;
     }
 
@@ -159,20 +159,20 @@
     switch (error_code) {
     case SWFUpload.QUEUE_ERROR.FILE_EXCEEDS_SIZE_LIMIT:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize")))->for_js() ?>");
+      fp.set_status("error", <?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize")))->for_js() ?>);
       break;
     case SWFUpload.QUEUE_ERROR.ZERO_BYTE_FILE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Cannot upload empty files.")->for_js() ?>");
+      fp.set_status("error", <?= t("Cannot upload empty files.")->for_js() ?>);
       break;
     case SWFUpload.QUEUE_ERROR.INVALID_FILETYPE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Invalid file type.")->for_js() ?>");
+      fp.set_status("error", <?= t("Invalid file type.")->for_js() ?>);
       break;
     default:
       if (file !== null) {
         fp.title.html(file.name);
-        fp.set_status("error", "<?= t("Unknown error")->for_js() ?>");
+        fp.set_status("error", <?= t("Unknown error")->for_js() ?>);
       }
       break;
     }
@@ -193,7 +193,7 @@
     // no uploadProgress events are called (limitation in the Linux Flash VM).
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
+    fp.set_status("uploading", <?= t("Uploading...")->for_js() ?>);
     $("#gAddPhotosCanvas").scrollTo(fp.box, 1000);
     return true;
     // @todo add cancel button to call this.cancelUpload(file.id)
@@ -202,7 +202,7 @@
   function upload_progress(file, bytes_loaded, bytes_total) {
     var percent = Math.ceil((bytes_loaded / bytes_total) * 100);
     var fp = new File_Progress(file);
-    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
+    fp.set_status("uploading", <?= t("Uploading...")->for_js() ?>);
     fp.progress_bar.css("visibility", "visible");
     fp.progress_bar.progressbar("value", percent);
   }
@@ -210,42 +210,42 @@
   function upload_success(file, serverData) {
     var fp = new File_Progress(file);
     fp.progress_bar.progressbar("value", 100);
-    fp.set_status("complete", "<?= t("Complete.")->for_js() ?>");
+    fp.set_status("complete", <?= t("Complete.")->for_js() ?>);
   }
 
   function upload_error(file, error_code, message) {
     var fp = new File_Progress(file);
     switch (error_code) {
     case SWFUpload.UPLOAD_ERROR.HTTP_ERROR:
-      fp.set_status("error", "<?= t("Upload error: bad image file")->for_js() ?>");
+      fp.set_status("error", <?= t("Upload error: bad image file")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_FAILED:
-      fp.set_status("error", "<?= t("Upload failed")->for_js() ?>");
+      fp.set_status("error", <?= t("Upload failed")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.IO_ERROR:
-      fp.set_status("error", "<?= t("Server error")->for_js() ?>");
+      fp.set_status("error", <?= t("Server error")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.SECURITY_ERROR:
-      fp.set_status("error", "<?= t("Security error")->for_js() ?>");
+      fp.set_status("error", <?= t("Security error")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_LIMIT_EXCEEDED:
-      fp.set_status("error", "<?= t("Upload limit exceeded")->for_js() ?>");
+      fp.set_status("error", <?= t("Upload limit exceeded")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_VALIDATION_FAILED:
-      fp.set_status("error", "<?= t("Failed validation.  File skipped")->for_js() ?>");
+      fp.set_status("error", <?= t("Failed validation.  File skipped")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_CANCELLED:
       // If there aren't any files left (they were all cancelled) disable the cancel button
       if (this.getStats().files_queued === 0) {
         $("#gUploadCancel").hide();
       }
-      fp.set_status("error", "<?= t("Cancelled")->for_js() ?>");
+      fp.set_status("error", <?= t("Cancelled")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_STOPPED:
-      fp.set_status("error", "<?= t("Stopped")->for_js() ?>");
+      fp.set_status("error", <?= t("Stopped")->for_js() ?>);
       break;
     default:
-      fp.set_status("error", "<?= t("Unknown error: ")->for_js() ?>" + error_code);
+      fp.set_status("error", <?= t("Unknown error: ")->for_js() ?> + error_code);
       break;
     }
   }
@@ -259,7 +259,7 @@
   }
 
   function get_completed_status_msg(stats) {
-    var msg = "<?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__"))->for_js() ?>";
+    var msg = <?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__"))->for_js() ?>;
     msg = msg.replace("__COMPLETED__", stats.successful_uploads);
     msg = msg.replace("__TOTAL__", stats.files_queued + stats.successful_uploads +
       stats.upload_errors + stats.upload_cancelled + stats.queue_errors);
@@ -268,7 +268,7 @@
 
   // This event comes from the Queue Plugin
   function queue_complete(num_files_uploaded) {
-    var status_msg = "<?= t("Uploaded: __COUNT__")->for_js() ?>";
+    var status_msg = <?= t("Uploaded: __COUNT__")->for_js() ?>;
     $("#gUploadStatus").html(status_msg.replace("__COUNT__", num_files_uploaded));
   }
 </script>
diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php
index 2ed8c38e..3b1ff92c 100644
--- a/themes/admin_default/views/admin.html.php
+++ b/themes/admin_default/views/admin.html.php
@@ -23,7 +23,7 @@
    <?= $theme->script("gallery.common.js") ?>
    <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
    <script type="text/javascript">
-   var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
+   var MSG_CANCEL = <?= t('Cancel')->for_js() ?>;
    </script>
    <?= $theme->script("gallery.ajax.js") ?>
    <?= $theme->script("gallery.dialog.js") ?>
diff --git a/themes/default/views/page.html.php b/themes/default/views/page.html.php
index 844ef295..2696442b 100644
--- a/themes/default/views/page.html.php
+++ b/themes/default/views/page.html.php
@@ -12,7 +12,7 @@
           <? if ($theme->item()->is_album()): ?>
           <?= t("Browse Album :: %album_title", array("album_title" => $theme->item()->title)) ?>
           <? elseif ($theme->item()->is_photo()): ?>
-	  <?= t("Photo :: %photo_title", array("photo_title" => $theme->item()->title)) ?>
+          <?= t("Photo :: %photo_title", array("photo_title" => $theme->item()->title)) ?>
           <? else: ?>
           <?= t("Movie :: %movie_title", array("movie_title" => $theme->item()->title)) ?>
           <? endif ?>
@@ -51,7 +51,7 @@
     <?= $theme->script("gallery.common.js") ?>
     <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
     <script type="text/javascript">
-    var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
+    var MSG_CANCEL = <?= t('Cancel')->for_js() ?>;
     </script>
     <?= $theme->script("gallery.ajax.js") ?>
     <?= $theme->script("gallery.dialog.js") ?>
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 00e157ce..5289b467 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -5,7 +5,7 @@
 <script>
   $(document).ready(function() {
     $(".gFullSizeLink").click(function() {
-      $.gallery_show_full_size("<?= html::clean_js($theme->item()->file_url()) ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
+      $.gallery_show_full_size(<?= html::js_string($theme->item()->file_url()) ?>, "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
       return false;
     });
   });
-- 
cgit v1.2.3