From 5e83ebd6d0e1eccb1a865dc6c5fe2ef712bd421b Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Sun, 28 Jun 2009 16:50:55 -0700 Subject: Use $theme->script() method to render module javascript files --- modules/organize/helpers/organize_theme.php | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'modules/organize') diff --git a/modules/organize/helpers/organize_theme.php b/modules/organize/helpers/organize_theme.php index 27f8cdb2..cddc48b6 100644 --- a/modules/organize/helpers/organize_theme.php +++ b/modules/organize/helpers/organize_theme.php @@ -20,11 +20,9 @@ class organize_theme { static function head($theme) { // @tdo remove the addition css and organize.js (just here to test) - $script[] = html::script("modules/organize/js/organize_init.js"); - $script[] = html::script("modules/organize/js/organize.js"); - $script[] = "script("modules/organize/js/organize_init.js"); + $theme->script("modules/organize/js/organize.js"); + return ""; - return implode("\n", $script); - //return html::script("modules/organize/js/organize_init.js"); } } -- cgit v1.2.3 From 42c82ef7f081630c15a5d354205896764348a76a Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Mon, 29 Jun 2009 06:08:50 -0700 Subject: Temporary checkin to allow merge with trunk... don't integrate --- modules/gallery/libraries/Theme_View.php | 29 ++++++++++++++++++++++++- modules/organize/helpers/organize_theme.php | 3 +-- modules/server_add/helpers/server_add_theme.php | 3 +-- themes/admin_default/views/admin.html.php | 16 +------------- 4 files changed, 31 insertions(+), 20 deletions(-) (limited to 'modules/organize') diff --git a/modules/gallery/libraries/Theme_View.php b/modules/gallery/libraries/Theme_View.php index 25818821..c5888b4a 100644 --- a/modules/gallery/libraries/Theme_View.php +++ b/modules/gallery/libraries/Theme_View.php @@ -20,6 +20,7 @@ class Theme_View_Core extends View { private $theme_name = null; private $scripts = array(); + private $css = array(); /** * Attempts to load a view and pre-load view data. @@ -172,6 +173,10 @@ class Theme_View_Core extends View { $this->scripts[$file] = 1; } + public function css($file) { + $this->css[$file] = 1; + } + /** * Combine a series of Javascript files into a single one and cache it in the database, then * return a single "; } + /** + * Combine a series of Javascript files into a single one and cache it in the database, then + * return a single "; diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php index dfbafe31..1361ae33 100644 --- a/themes/admin_default/views/admin.html.php +++ b/themes/admin_default/views/admin.html.php @@ -6,21 +6,7 @@ <?= t("Admin Dashboard") ?> " type="image/x-icon" /> - " - media="screen,projection" /> - " - media="screen,projection" /> - " - media="screen,projection" /> - " - media="screen,projection" /> - " - media="screen,projection" /> - - admin_head() ?> + admin_head() ?> body_attributes() ?>> -- cgit v1.2.3 From 8f9a943f55c1342177d7687e3d891f5d1c9eff30 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Wed, 1 Jul 2009 17:57:39 -0700 Subject: Fix a bunch of XSS vulnerabilities turned up by manual inspection using the checklist in ticket #385. --- modules/gallery/controllers/admin_advanced_settings.php | 2 +- modules/gallery/controllers/admin_modules.php | 2 +- modules/gallery/controllers/albums.php | 9 ++++++--- modules/gallery/controllers/movies.php | 3 ++- modules/gallery/controllers/photos.php | 3 ++- modules/gallery/controllers/quick.php | 11 ++++++----- modules/gallery/helpers/l10n_client.php | 4 +++- modules/organize/controllers/organize.php | 6 +++--- modules/server_add/controllers/admin_server_add.php | 4 ++-- modules/server_add/controllers/server_add.php | 2 +- modules/tag/controllers/admin_tags.php | 6 +++--- modules/user/controllers/admin_users.php | 17 ++++++++++------- modules/user/controllers/login.php | 5 +++-- modules/user/controllers/logout.php | 4 ++-- modules/user/controllers/password.php | 4 +++- 15 files changed, 48 insertions(+), 34 deletions(-) (limited to 'modules/organize') diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php index 79bc1183..64007fdb 100644 --- a/modules/gallery/controllers/admin_advanced_settings.php +++ b/modules/gallery/controllers/admin_advanced_settings.php @@ -46,7 +46,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller { module::set_var($module_name, $var_name, Input::instance()->post("value")); message::success( t("Saved value for %var (%module_name)", - array("var" => $var_name, "module_name" => $module_name))); + array("var" => p::clean($var_name), "module_name" => $module_name))); print json_encode(array("result" => "success")); } diff --git a/modules/gallery/controllers/admin_modules.php b/modules/gallery/controllers/admin_modules.php index ed1f7665..dfa49a0e 100644 --- a/modules/gallery/controllers/admin_modules.php +++ b/modules/gallery/controllers/admin_modules.php @@ -56,7 +56,7 @@ class Admin_Modules_Controller extends Admin_Controller { module::event("module_change", $changes); - // @todo this type of collation is questionable from a i18n perspective + // @todo this type of collation is questionable from an i18n perspective if ($activated_names) { message::success(t("Activated: %names", array("names" => join(", ", $activated_names)))); } diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index 22f50fb8..d141d157 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -111,7 +111,8 @@ class Albums_Controller extends Items_Controller { log::success("content", "Created an album", html::anchor("albums/$new_album->id", "view album")); - message::success(t("Created album %album_title", array("album_title" => $new_album->title))); + message::success( + t("Created album %album_title", array("album_title" => p::clean($new_album->title)))); print json_encode( array("result" => "success", @@ -143,7 +144,8 @@ class Albums_Controller extends Items_Controller { user::active()->id); log::success("content", "Added a photo", html::anchor("photos/$photo->id", "view photo")); - message::success(t("Added photo %photo_title", array("photo_title" => $photo->title))); + message::success( + t("Added photo %photo_title", array("photo_title" => p::clean($photo->title)))); print json_encode( array("result" => "success", @@ -197,7 +199,8 @@ class Albums_Controller extends Items_Controller { module::event("item_updated", $orig, $album); log::success("content", "Updated album", "id\">view"); - message::success(t("Saved album %album_title", array("album_title" => $album->title))); + message::success( + t("Saved album %album_title", array("album_title" => p::clean($album->title)))); print json_encode( array("result" => "success", diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php index d8cca825..30a5d78c 100644 --- a/modules/gallery/controllers/movies.php +++ b/modules/gallery/controllers/movies.php @@ -94,7 +94,8 @@ class Movies_Controller extends Items_Controller { module::event("item_updated", $orig, $photo); log::success("content", "Updated photo", "id\">view"); - message::success(t("Saved photo %photo_title", array("photo_title" => $photo->title))); + message::success( + t("Saved photo %photo_title", array("photo_title" => p::clean($photo->title)))); print json_encode( array("result" => "success", diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index f5be5d59..6a62e859 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -87,7 +87,8 @@ class Photos_Controller extends Items_Controller { module::event("item_updated", $orig, $photo); log::success("content", "Updated photo", "id\">view"); - message::success(t("Saved photo %photo_title", array("photo_title" => $photo->title))); + message::success( + t("Saved photo %photo_title", array("photo_title" => p::clean($photo->title)))); print json_encode( array("result" => "success", diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php index e89d9701..5d3d8885 100644 --- a/modules/gallery/controllers/quick.php +++ b/modules/gallery/controllers/quick.php @@ -89,7 +89,7 @@ class Quick_Controller extends Controller { access::required("view", $item->parent()); access::required("edit", $item->parent()); - $msg = t("Made %title this album's cover", array("title" => $item->title)); + $msg = t("Made %title this album's cover", array("title" => p::clean($item->title))); item::make_album_cover($item); message::success($msg); @@ -105,9 +105,10 @@ class Quick_Controller extends Controller { if ($item->is_album()) { print t( "Delete the album %title? All photos and movies in the album will also be deleted.", - array("title" => $item->title)); + array("title" => p::clean($item->title))); } else { - print t("Are you sure you want to delete %title?", array("title" => $item->title)); + print t("Are you sure you want to delete %title?", + array("title" => p::clean($item->title))); } $form = item::get_delete_form($item); @@ -121,9 +122,9 @@ class Quick_Controller extends Controller { access::required("edit", $item); if ($item->is_album()) { - $msg = t("Deleted album %title", array("title" => $item->title)); + $msg = t("Deleted album %title", array("title" => p::clean($item->title))); } else { - $msg = t("Deleted photo %title", array("title" => $item->title)); + $msg = t("Deleted photo %title", array("title" => p::clean($item->title))); } $item->delete(); diff --git a/modules/gallery/helpers/l10n_client.php b/modules/gallery/helpers/l10n_client.php index 20f81ecc..e153532c 100644 --- a/modules/gallery/helpers/l10n_client.php +++ b/modules/gallery/helpers/l10n_client.php @@ -112,7 +112,9 @@ class l10n_client_Core { // {key:, ...} // ] $count = count($response); - log::info("translations", "Installed $count new / updated translation messages"); + log::info("translations", + t2("Installed 1 new / updated translation message", + "Installed %count new / updated translation messages", $count)); foreach ($response as $message_data) { // @todo Better input validation diff --git a/modules/organize/controllers/organize.php b/modules/organize/controllers/organize.php index 57709cb5..5f80805c 100644 --- a/modules/organize/controllers/organize.php +++ b/modules/organize/controllers/organize.php @@ -283,10 +283,10 @@ class Organize_Controller extends Controller { if ($item->is_album()) { log::success("content", "Updated album", "id\">view"); - $message = t("Saved album %album_title", array("album_title" => $item->title)); + $message = t("Saved album %album_title", array("album_title" => p::clean($item->title))); } else { log::success("content", "Updated photo", "id\">view"); - $message = t("Saved photo %photo_title", array("photo_title" => $item->title)); + $message = t("Saved photo %photo_title", array("photo_title" => p::clean($item->title))); } print json_encode(array("form" => $form->__toString(), "message" => $message)); } else { @@ -325,7 +325,7 @@ class Organize_Controller extends Controller { module::event("item_updated", $orig, $item); log::success("content", "Updated album", "id\">view"); - $message = t("Saved album %album_title", array("album_title" => $item->title)); + $message = t("Saved album %album_title", array("album_title" => p::clean($item->title))); print json_encode(array("form" => $form->__toString(), "message" => $message)); } else { print json_encode(array("form" => $form->__toString())); diff --git a/modules/server_add/controllers/admin_server_add.php b/modules/server_add/controllers/admin_server_add.php index a3f9aa96..a30215b8 100644 --- a/modules/server_add/controllers/admin_server_add.php +++ b/modules/server_add/controllers/admin_server_add.php @@ -40,7 +40,7 @@ class Admin_Server_Add_Controller extends Admin_Controller { module::set_var("server_add", "authorized_paths", serialize($paths)); $form->add_path->inputs->path->value = ""; - message::success(t("Added path %path", array("path" => $path))); + message::success(t("Added path %path", array("path" => p::clean($path)))); server_add::check_config($paths); url::redirect("admin/server_add"); @@ -62,7 +62,7 @@ class Admin_Server_Add_Controller extends Admin_Controller { $path = $this->input->get("path"); $paths = unserialize(module::get_var("server_add", "authorized_paths")); unset($paths[$path]); - message::success(t("Removed path %path", array("path" => $path))); + message::success(t("Removed path %path", array("path" => p::clean($path)))); module::set_var("server_add", "authorized_paths", serialize($paths)); server_add::check_config($paths); diff --git a/modules/server_add/controllers/server_add.php b/modules/server_add/controllers/server_add.php index c92b4f7e..05ea5058 100644 --- a/modules/server_add/controllers/server_add.php +++ b/modules/server_add/controllers/server_add.php @@ -110,7 +110,7 @@ class Server_Add_Controller extends Controller { "url" => "", "task" => array( "id" => -1, "done" => 1, "percent_complete" => 100, - "status" => t("No Eligible files, import cancelled")))); + "status" => t("No eligible files, import cancelled")))); return; } diff --git a/modules/tag/controllers/admin_tags.php b/modules/tag/controllers/admin_tags.php index af5055ff..dcdc16b9 100644 --- a/modules/tag/controllers/admin_tags.php +++ b/modules/tag/controllers/admin_tags.php @@ -53,8 +53,8 @@ class Admin_Tags_Controller extends Admin_Controller { $name = $tag->name; Database::instance()->delete("items_tags", array("tag_id" => "$tag->id")); $tag->delete(); - message::success(t("Deleted tag %tag_name", array("tag_name" => $name))); - log::success("tags", t("Deleted tag %tag_name", array("tag_name" => $name))); + message::success(t("Deleted tag %tag_name", array("tag_name" => p::clean($name)))); + log::success("tags", t("Deleted tag %tag_name", array("tag_name" => p::clean($name)))); print json_encode( array("result" => "success", @@ -98,7 +98,7 @@ class Admin_Tags_Controller extends Admin_Controller { $tag->save(); $message = t("Renamed tag %old_name to %new_name", - array("old_name" => $old_name, "new_name" => $tag->name)); + array("old_name" => p::clean($old_name), "new_name" => p::clean($tag->name))); message::success($message); log::success("tags", $message); diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php index fe8061aa..b5dc6cb5 100644 --- a/modules/user/controllers/admin_users.php +++ b/modules/user/controllers/admin_users.php @@ -50,7 +50,7 @@ class Admin_Users_Controller extends Controller { } $user->save(); - message::success(t("Created user %user_name", array("user_name" => $user->name))); + message::success(t("Created user %user_name", array("user_name" => p::clean($user->name)))); print json_encode(array("result" => "success")); } else { print json_encode(array("result" => "error", @@ -83,7 +83,7 @@ class Admin_Users_Controller extends Controller { "form" => $form->__toString())); } - $message = t("Deleted user %user_name", array("user_name" => $name)); + $message = t("Deleted user %user_name", array("user_name" => p::clean($name))); log::success("user", $message); message::success($message); print json_encode(array("result" => "success")); @@ -139,7 +139,7 @@ class Admin_Users_Controller extends Controller { } $user->save(); - message::success(t("Changed user %user_name", array("user_name" => $user->name))); + message::success(t("Changed user %user_name", array("user_name" => p::clean($user->name)))); print json_encode(array("result" => "success")); } else { print json_encode(array("result" => "error", @@ -200,7 +200,8 @@ class Admin_Users_Controller extends Controller { if ($valid) { $group = group::create($new_name); $group->save(); - message::success(t("Created group %group_name", array("group_name" => $group->name))); + message::success( + t("Created group %group_name", array("group_name" => p::clean($group->name)))); print json_encode(array("result" => "success")); } else { print json_encode(array("result" => "error", @@ -229,7 +230,7 @@ class Admin_Users_Controller extends Controller { "form" => $form->__toString())); } - $message = t("Deleted group %group_name", array("group_name" => $name)); + $message = t("Deleted group %group_name", array("group_name" => p::clean($name))); log::success("group", $message); message::success($message); print json_encode(array("result" => "success")); @@ -266,10 +267,12 @@ class Admin_Users_Controller extends Controller { if ($valid) { $group->name = $form->edit_group->inputs["name"]->value; $group->save(); - message::success(t("Changed group %group_name", array("group_name" => $group->name))); + message::success( + t("Changed group %group_name", array("group_name" => p::clean($group->name)))); print json_encode(array("result" => "success")); } else { - message::error(t("Failed to change group %group_name", array("group_name" => $group->name))); + message::error( + t("Failed to change group %group_name", array("group_name" => p::clean($group->name)))); print json_encode(array("result" => "error", "form" => $form->__toString())); } diff --git a/modules/user/controllers/login.php b/modules/user/controllers/login.php index 54a7905e..4d901051 100644 --- a/modules/user/controllers/login.php +++ b/modules/user/controllers/login.php @@ -62,7 +62,8 @@ class Login_Controller extends Controller { if (!$user->loaded || !user::is_correct_password($user, $form->login->password->value)) { log::warning( "user", - t("Failed login for %name", array("name" => $form->login->inputs["name"]->value))); + t("Failed login for %name", + array("name" => p::clean($form->login->inputs["name"]->value)))); $form->login->inputs["name"]->add_error("invalid_login", 1); $valid = false; } @@ -70,7 +71,7 @@ class Login_Controller extends Controller { if ($valid) { user::login($user); - log::info("user", t("User %name logged in", array("name" => $user->name))); + log::info("user", t("User %name logged in", array("name" => p::clean($user->name)))); } // Either way, regenerate the session id to avoid session trapping diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php index a541ed9b..63971789 100644 --- a/modules/user/controllers/logout.php +++ b/modules/user/controllers/logout.php @@ -23,8 +23,8 @@ class Logout_Controller extends Controller { $user = user::active(); user::logout(); - log::info("user", t("User %name logged out", array("name" => $user->name)), - html::anchor("user/$user->id", $user->name)); + log::info("user", t("User %name logged out", array("name" => p::clean($user->name))), + html::anchor("user/$user->id", p::clean($user->name))); if ($this->input->get("continue")) { $item = url::get_item_from_uri($this->input->get("continue")); if (access::can("view", $item)) { diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php index 2dde11b8..ed3b9736 100644 --- a/modules/user/controllers/password.php +++ b/modules/user/controllers/password.php @@ -72,7 +72,9 @@ class Password_Controller extends Controller { ->message($message->render()) ->send(); - log::success("user", "Password reset email sent for user $user->name"); + log::success( + "user", + t("Password reset email sent for user %name", array("name" => p::clean($user->name))); } else { // Don't include the username here until you're sure that it's XSS safe log::warning( -- cgit v1.2.3 From 54ffea24196e8f5d88cf9d8607455f0f6aab305c Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Fri, 3 Jul 2009 21:44:10 -0700 Subject: Split the clean method into two clean and purify. clean is a light weight approach using html::specialchars and purify uses HTMLPurifier to intelligently cleanse the output fields. Use purifier for text and title fields where it is likely that a user would enter html to format their data. --- modules/comment/controllers/comments.php | 4 ++-- modules/comment/helpers/comment_rss.php | 2 +- modules/comment/views/admin_block_recent_comments.html.php | 2 +- modules/comment/views/admin_comments.html.php | 4 ++-- modules/comment/views/comment.html.php | 2 +- modules/comment/views/comments.html.php | 2 +- modules/digibug/controllers/digibug.php | 2 +- modules/gallery/controllers/quick.php | 10 +++++----- modules/gallery/helpers/p.php | 4 ++++ modules/gallery/views/permissions_browse.html.php | 2 +- modules/gallery/views/simple_uploader.html.php | 6 +++--- modules/info/views/info_block.html.php | 4 ++-- modules/notification/views/comment_published.html.php | 2 +- modules/notification/views/item_added.html.php | 4 ++-- modules/notification/views/item_deleted.html.php | 2 +- modules/organize/controllers/organize.php | 10 +++++----- modules/organize/views/organize.html.php | 2 +- modules/search/views/search.html.php | 4 ++-- themes/default/views/album.html.php | 4 ++-- themes/default/views/header.html.php | 4 ++-- themes/default/views/movie.html.php | 4 ++-- themes/default/views/photo.html.php | 4 ++-- 22 files changed, 44 insertions(+), 40 deletions(-) (limited to 'modules/organize') diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php index 99ecc8e0..2840ba67 100644 --- a/modules/comment/controllers/comments.php +++ b/modules/comment/controllers/comments.php @@ -41,7 +41,7 @@ class Comments_Controller extends REST_Controller { "id" => $comment->id, "author_name" => p::clean($comment->author_name()), "created" => $comment->created, - "text" => p::clean($comment->text)); + "text" => p::purify($comment->text)); } print json_encode($data); break; @@ -128,7 +128,7 @@ class Comments_Controller extends REST_Controller { "id" => $comment->id, "author_name" => p::clean($comment->author_name()), "created" => $comment->created, - "text" => p::clean($comment->text)))); + "text" => p::purify($comment->text)))); } else { $view = new Theme_View("comment.html", "fragment"); $view->comment = $comment; diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php index ef2d176e..746c6161 100644 --- a/modules/comment/helpers/comment_rss.php +++ b/modules/comment/helpers/comment_rss.php @@ -23,7 +23,7 @@ class comment_rss_Core { $feeds["comment/newest"] = t("All new comments"); if ($item) { $feeds["comment/item/$item->id"] = - t("Comments on %title", array("title" => p::clean($item->title))); + t("Comments on %title", array("title" => p::purify($item->title))); } return $feeds; } diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php index af4d946e..893c1a63 100644 --- a/modules/comment/views/admin_block_recent_comments.html.php +++ b/modules/comment/views/admin_block_recent_comments.html.php @@ -10,7 +10,7 @@ created) ?> %author_name said %comment_text', array("author_name" => p::clean($comment->author_name()), - "comment_text" => text::limit_words(p::clean($comment->text), 50))); ?> + "comment_text" => text::limit_words(p::purify($comment->text), 50))); ?> diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php index 453cf849..489605d5 100644 --- a/modules/comment/views/admin_comments.html.php +++ b/modules/comment/views/admin_comments.html.php @@ -122,7 +122,7 @@ has_thumb()): ?> <?= p::clean($item->title) ?>

thumb_width, $item->thumb_height, 75) ?> /> @@ -132,7 +132,7 @@

created) ?>

- text) ?> + text) ?>

diff --git a/modules/comment/views/comment.html.php b/modules/comment/views/comment.html.php index 6d2cc592..15121d08 100644 --- a/modules/comment/views/comment.html.php +++ b/modules/comment/views/comment.html.php @@ -13,6 +13,6 @@ "author_name" => p::clean($comment->author_name()))) ?>

- text) ?> + text) ?>

diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php index d9405e5f..2d754791 100644 --- a/modules/comment/views/comments.html.php +++ b/modules/comment/views/comments.html.php @@ -21,7 +21,7 @@ "name" => p::clean($comment->author_name()))); ?>

- text) ?> + text) ?>

diff --git a/modules/digibug/controllers/digibug.php b/modules/digibug/controllers/digibug.php index 49fb51ad..d881db9b 100644 --- a/modules/digibug/controllers/digibug.php +++ b/modules/digibug/controllers/digibug.php @@ -50,7 +50,7 @@ class Digibug_Controller extends Controller { "image_width_1" => $item->width, "thumb_height_1" => $item->thumb_height, "thumb_width_1" => $item->thumb_width, - "title_1" => p::clean($item->title)); + "title_1" => p::purify($item->title)); print $v; } diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php index 5d3d8885..53af2ba6 100644 --- a/modules/gallery/controllers/quick.php +++ b/modules/gallery/controllers/quick.php @@ -89,7 +89,7 @@ class Quick_Controller extends Controller { access::required("view", $item->parent()); access::required("edit", $item->parent()); - $msg = t("Made %title this album's cover", array("title" => p::clean($item->title))); + $msg = t("Made %title this album's cover", array("title" => p::purify($item->title))); item::make_album_cover($item); message::success($msg); @@ -105,10 +105,10 @@ class Quick_Controller extends Controller { if ($item->is_album()) { print t( "Delete the album %title? All photos and movies in the album will also be deleted.", - array("title" => p::clean($item->title))); + array("title" => p::purify($item->title))); } else { print t("Are you sure you want to delete %title?", - array("title" => p::clean($item->title))); + array("title" => p::purify($item->title))); } $form = item::get_delete_form($item); @@ -122,9 +122,9 @@ class Quick_Controller extends Controller { access::required("edit", $item); if ($item->is_album()) { - $msg = t("Deleted album %title", array("title" => p::clean($item->title))); + $msg = t("Deleted album %title", array("title" => p::purify($item->title))); } else { - $msg = t("Deleted photo %title", array("title" => p::clean($item->title))); + $msg = t("Deleted photo %title", array("title" => p::purify($item->title))); } $item->delete(); diff --git a/modules/gallery/helpers/p.php b/modules/gallery/helpers/p.php index fe53102c..862c769b 100644 --- a/modules/gallery/helpers/p.php +++ b/modules/gallery/helpers/p.php @@ -20,6 +20,10 @@ class p_Core { private static $_purifier = null; static function clean($dirty_html) { + return html::specialchars($dirty_html); + } + + static function purify($dirty_html) { if (empty(self::$_purifier)) { require_once(dirname(__file__) . "/../lib/HTMLPurifier/HTMLPurifier.auto.php"); $config = HTMLPurifier_Config::createDefault(); diff --git a/modules/gallery/views/permissions_browse.html.php b/modules/gallery/views/permissions_browse.html.php index 36394877..888a27f7 100644 --- a/modules/gallery/views/permissions_browse.html.php +++ b/modules/gallery/views/permissions_browse.html.php @@ -42,7 +42,7 @@

@@ -185,7 +185,7 @@ $("#gUploadQueueInfo").text("(completed " + stats.successful_uploads + " of " + (stats.files_queued + stats.successful_uploads + stats.upload_errors + stats.upload_cancelled + stats.queue_errors) + ")"); } - + // Auto start the upload this.startUpload(); } diff --git a/modules/info/views/info_block.html.php b/modules/info/views/info_block.html.php index db621006..ccb564d3 100644 --- a/modules/info/views/info_block.html.php +++ b/modules/info/views/info_block.html.php @@ -2,12 +2,12 @@

- title) ?> + title) ?>
- description) ?> + description) ?>

	text) ?>	text) ?>

	title) ?>	title) ?>

	description) ?>	description) ?>

id\">view

diff --git a/modules/search/views/search.html.php b/modules/search/views/search.html.php index 5db07bad..d173f734 100644 --- a/modules/search/views/search.html.php +++ b/modules/search/views/search.html.php @@ -31,10 +31,10 @@ id") ?>"> thumb_img() ?>

- title) ?> + title) ?>

- description) ?> + description) ?>

diff --git a/themes/default/views/album.html.php b/themes/default/views/album.html.php index 46b0d29a..273b8a4e 100644 --- a/themes/default/views/album.html.php +++ b/themes/default/views/album.html.php @@ -2,8 +2,8 @@

album_top() ?> -

title) ?>

description) ?>

title) ?>

description) ?>

id}?show=$item->id") ?>"> - title) ?> + title) ?>
title) ?>
title) ?>

diff --git a/themes/default/views/movie.html.php b/themes/default/views/movie.html.php index c2fb0e30..2cd9806f 100644 --- a/themes/default/views/movie.html.php +++ b/themes/default/views/movie.html.php @@ -15,8 +15,8 @@ movie_img(array("class" => "gMovie", "id" => "gMovieId-{$item->id}")) ?>

title) ?>

description) ?>

title) ?>

description) ?>