From 8f9a943f55c1342177d7687e3d891f5d1c9eff30 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 1 Jul 2009 17:57:39 -0700
Subject: Fix a bunch of XSS vulnerabilities turned up by manual inspection
 using the checklist in ticket #385.

---
 modules/organize/controllers/organize.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'modules/organize/controllers/organize.php')

diff --git a/modules/organize/controllers/organize.php b/modules/organize/controllers/organize.php
index 57709cb5..5f80805c 100644
--- a/modules/organize/controllers/organize.php
+++ b/modules/organize/controllers/organize.php
@@ -283,10 +283,10 @@ class Organize_Controller extends Controller {
 
       if ($item->is_album()) {
         log::success("content", "Updated album", "<a href=\"albums/$item->id\">view</a>");
-        $message = t("Saved album %album_title", array("album_title" => $item->title));
+        $message = t("Saved album %album_title", array("album_title" => p::clean($item->title)));
       } else {
         log::success("content", "Updated photo", "<a href=\"photos/$item->id\">view</a>");
-        $message = t("Saved photo %photo_title", array("photo_title" => $item->title));
+        $message = t("Saved photo %photo_title", array("photo_title" => p::clean($item->title)));
       }
       print json_encode(array("form" => $form->__toString(), "message" => $message));
     } else {
@@ -325,7 +325,7 @@ class Organize_Controller extends Controller {
       module::event("item_updated", $orig, $item);
 
       log::success("content", "Updated album", "<a href=\"albums/$item->id\">view</a>");
-      $message = t("Saved album %album_title", array("album_title" => $item->title));
+      $message = t("Saved album %album_title", array("album_title" => p::clean($item->title)));
       print json_encode(array("form" => $form->__toString(), "message" => $message));
     } else {
       print json_encode(array("form" => $form->__toString()));
-- 
cgit v1.2.3