From 708f27f483d70660446ea2132b02cb7b39225f98 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sun, 31 May 2009 00:11:48 -0700
Subject: Run p::clean() on any variables that contain data entered by users.

---
 modules/notification/views/comment_published.html.php | 18 +++++++++++-------
 modules/notification/views/item_added.html.php        | 14 +++++++++-----
 2 files changed, 20 insertions(+), 12 deletions(-)

(limited to 'modules/notification')

diff --git a/modules/notification/views/comment_published.html.php b/modules/notification/views/comment_published.html.php
index 23588c72..ff2ba0bc 100644
--- a/modules/notification/views/comment_published.html.php
+++ b/modules/notification/views/comment_published.html.php
@@ -1,30 +1,34 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= $subject ?> </title>
+    <title><?= p::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= $subject ?></h2>
+    <h2><?= p::clean($subject) ?></h2>
     <table>
       <tr>
         <td><?= t("Comment:") ?></td>
-        <td><?= $comment->text ?></td>
+        <td><?= p::clean($comment->text) ?></td>
       </tr>
       <tr>
         <td><?= t("Author Name:") ?></td>
-        <td><?= $comment->author_name() ?></td>
+        <td><?= p::clean($comment->author_name()) ?></td>
       </tr>
       <tr>
         <td><?= t("Author Email:") ?></td>
-        <td><?= $comment->author_email() ?></td>
+        <td><?= p::clean($comment->author_email()) ?></td>
       </tr>
       <tr>
         <td><?= t("Author URL:") ?></td>
-        <td><?= $comment->author_url() ?></td>
+        <td><?= p::clean($comment->author_url()) ?></td>
       </tr>
       <tr>
         <td><?= t("Url:") ?></td>
-        <td><a href="<?= $comment->item()->url(array(), true) ?>#comments"><?= $comment->item()->url(array(), true) ?>#comments</a></td>
+        <td>
+          <a href="<?= $comment->item()->url(array(), true) ?>#comments">
+            <?= $comment->item()->url(array(), true) ?>#comments
+          </a>
+        </td>
       </tr>
     </table>
   </body>
diff --git a/modules/notification/views/item_added.html.php b/modules/notification/views/item_added.html.php
index b67b9f38..32857c08 100644
--- a/modules/notification/views/item_added.html.php
+++ b/modules/notification/views/item_added.html.php
@@ -1,23 +1,27 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= $subject ?> </title>
+    <title><?= p::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= $subject ?></h2>
+    <h2><?= p::clean($subject) ?></h2>
     <table>
       <tr>
         <td><?= t("Title:") ?></td>
-        <td><?= $item->title ?></td>
+        <td><?= p::clean($item->title) ?></td>
       </tr>
       <tr>
         <td><?= t("Url:") ?></td>
-        <td><a href="<?= $item->url(array(), true) ?>"><?= $item->url(array(), true) ?></a></td>
+        <td>
+          <a href="<?= $item->url(array(), true) ?>">
+            <?= $item->url(array(), true) ?>
+          </a>
+        </td>
       </tr>
       <? if ($item->description): ?>
       <tr>
         <td><?= t("Description:") ?></td>
-        <td><?= $item->description ?></td>
+        <td><?= p::clean($item->description) ?></td>
       </tr>
       <? endif ?>
     </table>
-- 
cgit v1.2.3