From 53711225ac9d116e72c159de943284fd55fe26e4 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Tue, 1 Sep 2009 01:28:52 -0700
Subject: XSS / style fixes for newly detected issues (after fixing XSS
 scanner)

---
 modules/recaptcha/views/admin_recaptcha.html.php | 4 ++--
 modules/recaptcha/views/form_recaptcha.html.php  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'modules/recaptcha/views')

diff --git a/modules/recaptcha/views/admin_recaptcha.html.php b/modules/recaptcha/views/admin_recaptcha.html.php
index 43b4da8a..35722be4 100644
--- a/modules/recaptcha/views/admin_recaptcha.html.php
+++ b/modules/recaptcha/views/admin_recaptcha.html.php
@@ -4,7 +4,7 @@
   <p>
     <?= t("reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows.  In order to use it, you need to sign up for a <a href=\"%domain_url\">reCAPTCHA Public/Private Key pair</a>, which is also free.  Once registered, the challenge and response strings are evaluated at <a href=\"%recaptcha_url\">recaptcha.net</a> to determine if the form content has been entered by a bot.",
           array("domain_url" => $form->get_key_url,
-                "recaptcha_url" => "http://recaptcha.net")) ?>
+                "recaptcha_url" => html::mark_safe("http://recaptcha.net"))) ?>
   </p>
 
      <?= $form ?>
@@ -23,7 +23,7 @@
     Recaptcha.create("<?= $public_key ?>", "gRecaptcha", {
       callback: Recaptcha.focus_response_field,
       lang: "en",
-      custom_translations : { instructions_visual : "<?= t("Type words to check:") ?>"},
+      custom_translations : { instructions_visual : <?= t("Type words to check:")->for_js() ?>},
       theme: "white"
     });
   </script>
diff --git a/modules/recaptcha/views/form_recaptcha.html.php b/modules/recaptcha/views/form_recaptcha.html.php
index d4031586..4ec04c49 100644
--- a/modules/recaptcha/views/form_recaptcha.html.php
+++ b/modules/recaptcha/views/form_recaptcha.html.php
@@ -8,7 +8,7 @@
       "gRecaptcha",
       {
         theme: "white",
-        custom_translations : { instructions_visual : "<?= t("Type words to check:") ?>"},
+        custom_translations : { instructions_visual : <?= t("Type words to check:")->for_js() ?>},
         callback: Recaptcha.focus_response_field
       }
     );
-- 
cgit v1.2.3


From 1d3069145273bcb3514f08fa9eee2dbf55a07b01 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Tue, 1 Sep 2009 12:14:23 -0700
Subject: Add missing mark_clean() for t() calls with %attr parameter.

---
 modules/comment/views/comments.html.php          | 2 +-
 modules/recaptcha/views/admin_recaptcha.html.php | 2 +-
 themes/default/views/album.html.php              | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'modules/recaptcha/views')

diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php
index b7ebdf3a..7eb34c20 100644
--- a/modules/comment/views/comments.html.php
+++ b/modules/comment/views/comments.html.php
@@ -8,7 +8,7 @@
 <? if (!$comments->count()): ?>
 <p id="gNoCommentsYet">
   <?= t("No comments yet. Be the first to <a %attrs>comment</a>!",
-      array("attrs" => "href=\"#add_comment_form\" class=\"showCommentForm\"")) ?>
+        array("attrs" => html::mark_clean("href=\"#add_comment_form\" class=\"showCommentForm\""))) ?>
 </p>
 <? endif ?>
 <ul>
diff --git a/modules/recaptcha/views/admin_recaptcha.html.php b/modules/recaptcha/views/admin_recaptcha.html.php
index 35722be4..0a4b1f8f 100644
--- a/modules/recaptcha/views/admin_recaptcha.html.php
+++ b/modules/recaptcha/views/admin_recaptcha.html.php
@@ -4,7 +4,7 @@
   <p>
     <?= t("reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows.  In order to use it, you need to sign up for a <a href=\"%domain_url\">reCAPTCHA Public/Private Key pair</a>, which is also free.  Once registered, the challenge and response strings are evaluated at <a href=\"%recaptcha_url\">recaptcha.net</a> to determine if the form content has been entered by a bot.",
           array("domain_url" => $form->get_key_url,
-                "recaptcha_url" => html::mark_safe("http://recaptcha.net"))) ?>
+                "recaptcha_url" => html::mark_clean("http://recaptcha.net"))) ?>
   </p>
 
      <?= $form ?>
diff --git a/themes/default/views/album.html.php b/themes/default/views/album.html.php
index caabeee3..8bc81a31 100644
--- a/themes/default/views/album.html.php
+++ b/themes/default/views/album.html.php
@@ -30,7 +30,7 @@
   <? if ($user->admin || access::can("add", $item)): ?>
   <? $addurl = url::file("index.php/simple_uploader/app/$item->id") ?>
   <li><?= t("There aren't any photos here yet! <a %attrs>Add some</a>.",
-            array("attrs" => "href=\"$addurl\" class=\"gDialogLink\"")) ?></li>
+            array("attrs" => html::mark_clean("href=\"$addurl\" class=\"gDialogLink\""))) ?></li>
   <? else: ?>
   <li><?= t("There aren't any photos here yet!") ?></li>
   <? endif; ?>
-- 
cgit v1.2.3