From 708f27f483d70660446ea2132b02cb7b39225f98 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sun, 31 May 2009 00:11:48 -0700
Subject: Run p::clean() on any variables that contain data entered by users.

---
 modules/gallery/views/admin_advanced_settings.html.php  | 8 ++++----
 modules/gallery/views/admin_block_log_entries.html.php  | 2 +-
 modules/gallery/views/admin_block_photo_stream.html.php | 4 ++--
 modules/gallery/views/admin_maintenance.html.php        | 2 +-
 modules/gallery/views/after_install.html.php            | 2 +-
 modules/gallery/views/move_tree.html.php                | 8 ++++----
 modules/gallery/views/permissions_browse.html.php       | 4 ++--
 modules/gallery/views/permissions_form.html.php         | 2 +-
 modules/gallery/views/simple_uploader.html.php          | 6 +++---
 9 files changed, 19 insertions(+), 19 deletions(-)

(limited to 'modules/gallery')

diff --git a/modules/gallery/views/admin_advanced_settings.html.php b/modules/gallery/views/admin_advanced_settings.html.php
index 9f90d671..77aff050 100644
--- a/modules/gallery/views/admin_advanced_settings.html.php
+++ b/modules/gallery/views/admin_advanced_settings.html.php
@@ -20,12 +20,12 @@
     <? if ($var->module_name == "gallery" && $var->name == "_cache") continue ?>
     <tr class="setting">
       <td> <?= $var->module_name ?> </td>
-      <td> <?= $var->name ?> </td>
+      <td> <?= p::clean($var->name) ?> </td>
       <td>
-        <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/$var->name") ?>"
+        <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . p::clean($var->name)) ?>"
           class="gDialogLink"
-          title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name)) ?>">
-          <?= $var->value ?>
+          title="<?= t("Edit %var (%module_name)", array("var" => p::clean($var->name), "module_name" => $var->module_name)) ?>">
+          <?= p::clean($var->value) ?>
       </a>
       </td>
     </tr>
diff --git a/modules/gallery/views/admin_block_log_entries.html.php b/modules/gallery/views/admin_block_log_entries.html.php
index db6313e1..5d8f3084 100644
--- a/modules/gallery/views/admin_block_log_entries.html.php
+++ b/modules/gallery/views/admin_block_log_entries.html.php
@@ -2,7 +2,7 @@
 <ul>
   <? foreach ($entries as $entry): ?>
   <li class="<?= log::severity_class($entry->severity) ?>">
-    <a href="<?= url::site("user/$entry->user_id") ?>"><?= $entry->user->name ?></a>
+    <a href="<?= url::site("user/$entry->user_id") ?>"><?= p::clean($entry->user->name) ?></a>
     <?= date("Y-M-d H:i:s", $entry->timestamp) ?>
     <?= $entry->message ?>
     <?= $entry->html ?>
diff --git a/modules/gallery/views/admin_block_photo_stream.html.php b/modules/gallery/views/admin_block_photo_stream.html.php
index e8a4d933..1e1329d1 100644
--- a/modules/gallery/views/admin_block_photo_stream.html.php
+++ b/modules/gallery/views/admin_block_photo_stream.html.php
@@ -2,9 +2,9 @@
 <ul>
 <? foreach ($photos as $photo): ?>
   <li class="gItem gPhoto">
-    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= $photo->title ?>">
+    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= p::clean($photo->title) ?>">
       <img <?= photo::img_dimensions($photo->width, $photo->height, 72) ?>
-        src="<?= $photo->thumb_url() ?>" alt="<?= $photo->title ?>" />
+        src="<?= $photo->thumb_url() ?>" alt="<?= p::clean($photo->title) ?>" />
     </a>
   </li>
 <? endforeach ?>
diff --git a/modules/gallery/views/admin_maintenance.html.php b/modules/gallery/views/admin_maintenance.html.php
index bc060a7b..66c4eea0 100644
--- a/modules/gallery/views/admin_maintenance.html.php
+++ b/modules/gallery/views/admin_maintenance.html.php
@@ -90,7 +90,7 @@
           <?= $task->status ?>
         </td>
         <td>
-          <?= $task->owner()->name ?>
+          <?= p::clean($task->owner()->name) ?>
         </td>
         <td>
           <? if ($task->state == "stalled"): ?>
diff --git a/modules/gallery/views/after_install.html.php b/modules/gallery/views/after_install.html.php
index aa26858a..d6ba8e7c 100644
--- a/modules/gallery/views/after_install.html.php
+++ b/modules/gallery/views/after_install.html.php
@@ -8,7 +8,7 @@
 </p>
 
 <p>
-  <?= t("You're logged in to the <b>%user_name</b> account.  The very first thing you should do is to change your password to something that you'll remember.", array("user_name" => $user->name)) ?>
+  <?= t("You're logged in to the <b>%user_name</b> account.  The very first thing you should do is to change your password to something that you'll remember.", array("user_name" => p::clean($user->name))) ?>
 </p>
 
 <p>
diff --git a/modules/gallery/views/move_tree.html.php b/modules/gallery/views/move_tree.html.php
index a3a4bc8f..91a2f9da 100644
--- a/modules/gallery/views/move_tree.html.php
+++ b/modules/gallery/views/move_tree.html.php
@@ -1,18 +1,18 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <?= $parent->thumb_tag(array(), 25); ?>
 <? if (!access::can("edit", $parent) || $source->is_descendant($parent)): ?>
-<a href="javascript:load_tree('<?= $parent->id ?>',1)"> <?= $parent->title ?> <?= t("(locked)") ?> </a>
+<a href="javascript:load_tree('<?= $parent->id ?>',1)"> <?= p::clean($parent->title) ?> <?= t("(locked)") ?> </a>
 <? else: ?>
-<a href="javascript:load_tree('<?= $parent->id ?>',0)"> <?= $parent->title ?></a>
+<a href="javascript:load_tree('<?= $parent->id ?>',0)"> <?= p::clean($parent->title) ?></a>
 <? endif ?>
 <ul id="tree_<?= $parent->id ?>">
   <? foreach ($children as $child): ?>
   <li id="node_<?= $child->id ?>" class="node">
     <?= $child->thumb_tag(array(), 25); ?>
     <? if (!access::can("edit", $child) || $source->is_descendant($child)): ?>
-    <a href="javascript:load_tree('<?= $child->id ?>',1)"> <?= $child->title ?> <?= t("(locked)") ?></a>
+    <a href="javascript:load_tree('<?= $child->id ?>',1)"> <?= p::clean($child->title) ?> <?= t("(locked)") ?></a>
     <? else: ?>
-    <a href="javascript:load_tree('<?= $child->id ?>',0)"> <?= $child->title ?> </a>
+    <a href="javascript:load_tree('<?= $child->id ?>',0)"> <?= p::clean($child->title) ?> </a>
     <? endif ?>
   </li>
   <? endforeach ?>
diff --git a/modules/gallery/views/permissions_browse.html.php b/modules/gallery/views/permissions_browse.html.php
index 749bee4f..5cd9cf82 100644
--- a/modules/gallery/views/permissions_browse.html.php
+++ b/modules/gallery/views/permissions_browse.html.php
@@ -35,14 +35,14 @@
     <? foreach ($parents as $parent): ?>
     <li>
       <a href="javascript:show(<?= $parent->id ?>)">
-        <?= $parent->title ?>
+        <?= p::clean($parent->title) ?>
       </a>
       <div class="form" id="edit-<?= $parent->id ?>"></div>
       <ul>
         <? endforeach ?>
         <li>
           <a href="javascript:show(<?= $item->id ?>)">
-            <?= $item->title ?>
+            <?= p::clean($item->title) ?>
           </a>
           <div class="form" id="edit-<?= $item->id ?>">
             <?= $form ?>
diff --git a/modules/gallery/views/permissions_form.html.php b/modules/gallery/views/permissions_form.html.php
index 94103705..adf2bd94 100644
--- a/modules/gallery/views/permissions_form.html.php
+++ b/modules/gallery/views/permissions_form.html.php
@@ -6,7 +6,7 @@
     <tr>
       <th> </th>
       <? foreach ($groups as $group): ?>
-      <th> <?= $group->name ?> </th>
+      <th> <?= p::clean($group->name) ?> </th>
       <? endforeach ?>
     </tr>
 
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index b6725c31..abda6d26 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -5,7 +5,7 @@
 <!-- hack to set the title for the dialog -->
 <form id="gAddPhotosForm" action="<?= url::site("simple_uploader/finish") ?>">
   <fieldset>
-    <legend> <?= t("Add photos to %album_title", array("album_title" => $item->title)) ?> </legend>
+    <legend> <?= t("Add photos to %album_title", array("album_title" => p::clean($item->title))) ?> </legend>
   </fieldset>
 </form>
 
@@ -25,9 +25,9 @@
   </p>
   <ul class="gBreadcrumbs">
     <? foreach ($item->parents() as $parent): ?>
-    <li> <?= $parent->title ?> </li>
+    <li> <?= p::clean($parent->title) ?> </li>
     <? endforeach ?>
-    <li class="active"> <?= $item->title ?> </li>
+    <li class="active"> <?= p::clean($item->title) ?> </li>
   </ul>
 
   <p><?= t("Upload Queue") ?></p>
-- 
cgit v1.2.3