From c01ac42c4604b3b129e8089e0dc683ebd418b380 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 12:48:40 -0700
Subject: Refactor all calls of p::clean() to SafeString::of() and p::purify()
 to SafeString::purify().

Removing any p::clean() calls for arguments to t() and t2() since their args are wrapped in a SafeString anyway.
---
 modules/rss/views/feed.mrss.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'modules/rss')

diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php
index 447179a5..7298b7f4 100644
--- a/modules/rss/views/feed.mrss.php
+++ b/modules/rss/views/feed.mrss.php
@@ -6,9 +6,9 @@
    xmlns:fh="http://purl.org/syndication/history/1.0">
   <channel>
     <generator>gallery3</generator>
-    <title><?= p::clean($feed->title) ?></title>
+    <title><?= SafeString::of($feed->title) ?></title>
     <link><?= $feed->uri ?></link>
-    <description><?= p::clean($feed->description) ?></description>
+    <description><?= SafeString::of($feed->description) ?></description>
     <language>en-us</language>
     <atom:link rel="self" href="<?= $feed->uri ?>" type="application/rss+xml" />
     <fh:complete/>
@@ -22,25 +22,25 @@
     <lastBuildDate><?= $pub_date ?></lastBuildDate>
     <? foreach ($feed->children as $child): ?>
     <item>
-      <title><?= p::clean($child->title) ?></title>
+      <title><?= SafeString::of($child->title) ?></title>
       <link><?= url::abs_site("{$child->type}s/{$child->id}") ?></link>
       <guid isPermaLink="true"><?= url::abs_site("{$child->type}s/{$child->id}") ?></guid>
       <pubDate><?= date("D, d M Y H:i:s T", $child->created); ?></pubDate>
       <content:encoded>
         <![CDATA[
-          <span><?= p::clean($child->description) ?></span>
+          <span><?= SafeString::of($child->description) ?></span>
           <p>
           <? if ($child->type == "photo" || $child->type == "album"): ?>
             <img alt="" src="<?= $child->resize_url(true) ?>"
-                 title="<?= p::clean($child->title) ?>"
+                 title="<?= SafeString::of($child->title) ?>"
                  height="<?= $child->resize_height ?>" width="<?= $child->resize_width ?>" /><br />
           <? else: ?>
             <a href="<?= url::abs_site("{$child->type}s/{$child->id}") ?>">
             <img alt="" src="<?= $child->thumb_url(true) ?>"
-                 title="<?= p::clean($child->title) ?>"
+                 title="<?= SafeString::of($child->title) ?>"
                  height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" /></a><br />
           <? endif ?>
-            <?= p::clean($child->description) ?>
+            <?= SafeString::of($child->description) ?>
           </p>
         ]]>
       </content:encoded>
-- 
cgit v1.2.3


From 0204617b602183a3e157bc7e23c617acd22a5212 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 15:41:02 -0700
Subject: XSS fixes

---
 modules/gallery/views/admin_maintenance.html.php   | 2 +-
 modules/rss/views/rss_block.html.php               | 2 +-
 modules/server_add/views/admin_server_add.html.php | 4 ++--
 modules/server_add/views/server_add_tree.html.php  | 4 ++--
 modules/tag/views/admin_tags.html.php              | 4 ++--
 5 files changed, 8 insertions(+), 8 deletions(-)

(limited to 'modules/rss')

diff --git a/modules/gallery/views/admin_maintenance.html.php b/modules/gallery/views/admin_maintenance.html.php
index a0a6a19e..a1f7b126 100644
--- a/modules/gallery/views/admin_maintenance.html.php
+++ b/modules/gallery/views/admin_maintenance.html.php
@@ -164,7 +164,7 @@
           <?= $task->status ?>
         </td>
         <td>
-          <?= $task->owner()->name ?>
+          <?= SafeString::of($task->owner()->name) ?>
         </td>
         <td>
           <? if ($task->done): ?>
diff --git a/modules/rss/views/rss_block.html.php b/modules/rss/views/rss_block.html.php
index 39921d7d..cd8db89d 100644
--- a/modules/rss/views/rss_block.html.php
+++ b/modules/rss/views/rss_block.html.php
@@ -5,7 +5,7 @@
     <span class="ui-icon-left">
     <a href="<?= rss::url($url) ?>">
       <span class="ui-icon ui-icon-signal-diag"></span>
-      <?= $title ?>
+      <?= SafeString::purify($title) ?>
     </a>
     </span>
   </li>
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index 30ab3536..c4439bda 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -11,12 +11,12 @@
     <ul id="gPathList">
       <? foreach ($paths as $id => $path): ?>
       <li class="ui-icon-left">
-        <a href="<?= url::site("admin/server_add/remove_path?path=$path&amp;csrf=$csrf") ?>"
+        <a href="<?= url::site("admin/server_add/remove_path?path=" . urlencode($path) . "&amp;csrf=$csrf") ?>"
            id="icon_<?= $id?>"
            class="gRemoveDir ui-icon ui-icon-trash">
           X
         </a>
-        <?= $path ?>
+        <?= SafeString::of($path) ?>
       </li>
       <? endforeach ?>
     </ul>
diff --git a/modules/server_add/views/server_add_tree.html.php b/modules/server_add/views/server_add_tree.html.php
index b68544ec..2f65a590 100644
--- a/modules/server_add/views/server_add_tree.html.php
+++ b/modules/server_add/views/server_add_tree.html.php
@@ -10,7 +10,7 @@
     <li class="ui-icon-left">
       <span class="ui-icon ui-icon-folder-open"></span>
       <span ondblclick="open_dir('<?= $dir ?>')">
-        <?= basename($dir) ?>
+        <?= SafeString::of(basename($dir)) ?>
       </span>
       <ul>
         <? endforeach ?>
@@ -22,7 +22,7 @@
                 <? if (is_dir($file)): ?>
                 ondblclick="open_dir($(this).attr('file'))"
                 <? endif ?>
-                file="<?= $file ?>"
+                file="<?= strtr($file, array('"' => '\\"')) ?>"
                 >
             <?= SafeString::of(basename($file)) ?>
           </span>
diff --git a/modules/tag/views/admin_tags.html.php b/modules/tag/views/admin_tags.html.php
index 5bd23112..30dd0728 100644
--- a/modules/tag/views/admin_tags.html.php
+++ b/modules/tag/views/admin_tags.html.php
@@ -32,7 +32,7 @@
           <? $current_letter = strtoupper(mb_substr($tag->name, 0, 1)) ?>
 
           <? if ($i == 0): /* first letter */ ?>
-            <strong><?= $current_letter ?></strong>
+            <strong><?= SafeString::of($current_letter) ?></strong>
             <ul>
           <? elseif ($last_letter != $current_letter): /* new letter */ ?>
             <? if ($column_tag_count > $tags_per_column): /* new column */ ?>
@@ -42,7 +42,7 @@
             <? endif ?>
 
             </ul>
-            <strong><?= $current_letter ?></strong>
+            <strong><?= SafeString::of($current_letter) ?></strong>
             <ul>
           <? endif ?>
 
-- 
cgit v1.2.3


From b9bd1681a3b1496c0f1bbe5e6254ab4fd0c9fe30 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 22:54:20 -0700
Subject: Update all code to use helper method html::clean(), html::purify(),
 ... instead of SafeString directly.

---
 modules/comment/controllers/comments.php                   |  8 ++++----
 modules/comment/helpers/comment_rss.php                    |  8 ++++----
 modules/comment/views/admin_block_recent_comments.html.php |  6 +++---
 modules/comment/views/admin_comments.html.php              | 10 +++++-----
 modules/comment/views/comment.html.php                     |  6 +++---
 modules/comment/views/comment.mrss.php                     | 12 ++++++------
 modules/comment/views/comments.html.php                    |  6 +++---
 modules/digibug/controllers/digibug.php                    |  2 +-
 modules/exif/views/exif_dialog.html.php                    |  4 ++--
 modules/g2_import/helpers/g2_import.php                    |  2 +-
 modules/gallery/controllers/admin_advanced_settings.php    |  2 +-
 modules/gallery/controllers/quick.php                      | 10 +++++-----
 modules/gallery/helpers/MY_html.php                        |  4 ++--
 modules/gallery/helpers/gallery_rss.php                    |  4 ++--
 modules/gallery/helpers/gallery_task.php                   |  4 ++--
 modules/gallery/tests/Html_Helper_Test.php                 |  4 ++--
 modules/gallery/tests/Xss_Security_Test.php                |  4 ++--
 modules/gallery/views/admin_advanced_settings.html.php     |  6 +++---
 modules/gallery/views/admin_block_log_entries.html.php     |  2 +-
 modules/gallery/views/admin_block_photo_stream.html.php    |  4 ++--
 modules/gallery/views/admin_languages.html.php             |  4 ++--
 modules/gallery/views/admin_maintenance.html.php           |  4 ++--
 modules/gallery/views/admin_maintenance_show_log.html.php  |  2 +-
 modules/gallery/views/move_tree.html.php                   |  8 ++++----
 modules/gallery/views/permissions_browse.html.php          |  4 ++--
 modules/gallery/views/permissions_form.html.php            |  2 +-
 modules/gallery/views/simple_uploader.html.php             | 14 +++++++-------
 modules/info/views/info_block.html.php                     | 10 +++++-----
 modules/notification/views/comment_published.html.php      | 12 ++++++------
 modules/notification/views/item_added.html.php             |  8 ++++----
 modules/notification/views/item_deleted.html.php           |  6 +++---
 modules/notification/views/item_updated.html.php           | 12 ++++++------
 modules/organize/views/organize_dialog.html.php            |  2 +-
 modules/organize/views/organize_tree.html.php              |  6 +++---
 modules/rss/views/feed.mrss.php                            | 14 +++++++-------
 modules/rss/views/rss_block.html.php                       |  2 +-
 modules/search/views/search.html.php                       |  6 +++---
 modules/server_add/views/admin_server_add.html.php         |  2 +-
 modules/server_add/views/server_add_tree.html.php          |  4 ++--
 modules/server_add/views/server_add_tree_dialog.html.php   |  6 +++---
 modules/tag/controllers/admin_tags.php                     |  2 +-
 modules/tag/views/admin_tags.html.php                      |  6 +++---
 modules/tag/views/tag_cloud.html.php                       |  2 +-
 modules/user/controllers/logout.php                        |  2 +-
 modules/user/views/admin_users.html.php                    |  8 ++++----
 modules/user/views/admin_users_group.html.php              |  4 ++--
 modules/user/views/login.html.php                          |  2 +-
 themes/default/views/album.html.php                        |  6 +++---
 themes/default/views/dynamic.html.php                      |  4 ++--
 themes/default/views/header.html.php                       |  4 ++--
 themes/default/views/movie.html.php                        |  4 ++--
 themes/default/views/photo.html.php                        |  6 +++---
 52 files changed, 143 insertions(+), 143 deletions(-)

(limited to 'modules/rss')

diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php
index 87633f4c..82b12893 100644
--- a/modules/comment/controllers/comments.php
+++ b/modules/comment/controllers/comments.php
@@ -39,9 +39,9 @@ class Comments_Controller extends REST_Controller {
       foreach ($comments as $comment) {
         $data[] = array(
           "id" => $comment->id,
-          "author_name" => SafeString::of($comment->author_name()),
+          "author_name" => html::clean($comment->author_name()),
           "created" => $comment->created,
-          "text" => nl2br(SafeString::purify($comment->text)));
+          "text" => nl2br(html::purify($comment->text)));
       }
       print json_encode($data);
       break;
@@ -126,9 +126,9 @@ class Comments_Controller extends REST_Controller {
         array("result" => "success",
               "data" => array(
                 "id" => $comment->id,
-                "author_name" => SafeString::of($comment->author_name()),
+                "author_name" => html::clean($comment->author_name()),
                 "created" => $comment->created,
-                "text" => nl2br(SafeString::purify($comment->text)))));
+                "text" => nl2br(html::purify($comment->text)))));
     } else {
       $view = new Theme_View("comment.html", "fragment");
       $view->comment = $comment;
diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php
index 4151dcd0..b539887b 100644
--- a/modules/comment/helpers/comment_rss.php
+++ b/modules/comment/helpers/comment_rss.php
@@ -23,7 +23,7 @@ class comment_rss_Core {
     $feeds["comment/newest"] = t("All new comments");
     if ($item) {
       $feeds["comment/item/$item->id"] =
-        t("Comments on %title", array("title" => SafeString::purify($item->title)));
+        t("Comments on %title", array("title" => html::purify($item->title)));
     }
     return $feeds;
   }
@@ -49,13 +49,13 @@ class comment_rss_Core {
       $item = $comment->item();
       $feed->children[] = new ArrayObject(
         array("pub_date" => date("D, d M Y H:i:s T", $comment->created),
-              "text" => nl2br(SafeString::purify($comment->text)),
+              "text" => nl2br(html::purify($comment->text)),
               "thumb_url" => $item->thumb_url(),
               "thumb_height" => $item->thumb_height,
               "thumb_width" => $item->thumb_width,
               "item_uri" => url::abs_site("{$item->type}s/$item->id"),
-              "title" => SafeString::purify($item->title),
-              "author" => SafeString::of($comment->author_name())),
+              "title" => html::purify($item->title),
+              "author" => html::clean($comment->author_name())),
         ArrayObject::ARRAY_AS_PROPS);
     }
 
diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php
index 2c7a5cf1..dc3975e0 100644
--- a/modules/comment/views/admin_block_recent_comments.html.php
+++ b/modules/comment/views/admin_block_recent_comments.html.php
@@ -4,13 +4,13 @@
   <li class="<?= ($i % 2 == 0) ? "gEvenRow" : "gOddRow" ?>">
     <img src="<?= $comment->author()->avatar_url(32, $theme->url("images/avatar.jpg", true)) ?>"
          class="gAvatar"
-         alt="<?= SafeString::of($comment->author_name()) ?>"
+         alt="<?= html::clean($comment->author_name()) ?>"
          width="32"
          height="32" />
     <?= gallery::date_time($comment->created) ?>
     <?= t('<a href="#">%author_name</a> said <em>%comment_text</em>',
-          array("author_name" => SafeString::of($comment->author_name()),
-                "comment_text" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50))); ?>
+          array("author_name" => html::clean($comment->author_name()),
+                "comment_text" => text::limit_words(nl2br(html::purify($comment->text)), 50))); ?>
   </li>
   <? endforeach ?>
 </ul>
diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php
index 8b0b4c29..801ce2b3 100644
--- a/modules/comment/views/admin_comments.html.php
+++ b/modules/comment/views/admin_comments.html.php
@@ -108,12 +108,12 @@
         <a href="#">
           <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
                class="gAvatar"
-               alt="<?= SafeString::of($comment->author_name()) ?>"
+               alt="<?= html::clean($comment->author_name()) ?>"
                width="40"
                height="40" />
         </a>
-        <p><a href="mailto:<?= SafeString::of($comment->author_email()) ?>"
-              title="<?= SafeString::of($comment->author_email()) ?>"> <?= SafeString::of($comment->author_name()) ?> </a></p>
+        <p><a href="mailto:<?= html::clean($comment->author_email()) ?>"
+              title="<?= html::clean($comment->author_email()) ?>"> <?= html::clean($comment->author_name()) ?> </a></p>
       </td>
       <td>
         <div class="right">
@@ -122,7 +122,7 @@
             <a href="<?= $item->url() ?>">
               <? if ($item->has_thumb()): ?>
               <img src="<?= $item->thumb_url() ?>"
-                 alt="<?= SafeString::purify($item->title) ?>"
+                 alt="<?= html::purify($item->title) ?>"
                  <?= photo::img_dimensions($item->thumb_width, $item->thumb_height, 75) ?>
               />
               <? else: ?>
@@ -132,7 +132,7 @@
           </div>
         </div>
         <p><?= gallery::date($comment->created) ?></p>
-           <?= nl2br(SafeString::purify($comment->text)) ?>
+           <?= nl2br(html::purify($comment->text)) ?>
       </td>
       <td>
         <ul class="gButtonSetVertical">
diff --git a/modules/comment/views/comment.html.php b/modules/comment/views/comment.html.php
index 31bb7f4d..1d0786cb 100644
--- a/modules/comment/views/comment.html.php
+++ b/modules/comment/views/comment.html.php
@@ -4,15 +4,15 @@
     <a href="#">
       <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
            class="gAvatar"
-           alt="<?= SafeString::of($comment->author_name()) ?>"
+           alt="<?= html::clean($comment->author_name()) ?>"
            width="40"
            height="40" />
     </a>
     <?= t("on %date_time, %author_name said",
           array("date_time" => gallery::date_time($comment->created),
-                "author_name" => SafeString::of($comment->author_name()))) ?>
+                "author_name" => html::clean($comment->author_name()))) ?>
   </p>
   <div>
-  <?= nl2br(SafeString::purify($comment->text)) ?>
+  <?= nl2br(html::purify($comment->text)) ?>
   </div>
 </li>
diff --git a/modules/comment/views/comment.mrss.php b/modules/comment/views/comment.mrss.php
index ae7762d9..c2a4b538 100644
--- a/modules/comment/views/comment.mrss.php
+++ b/modules/comment/views/comment.mrss.php
@@ -6,9 +6,9 @@
    xmlns:fh="http://purl.org/syndication/history/1.0">
   <channel>
     <generator>Gallery 3</generator>
-    <title><?= SafeString::of($feed->title) ?></title>
+    <title><?= html::clean($feed->title) ?></title>
     <link><?= $feed->uri ?></link>
-    <description><?= SafeString::of($feed->description) ?></description>
+    <description><?= html::clean($feed->description) ?></description>
     <language>en-us</language>
     <atom:link rel="self" href="<?= $feed->uri ?>" type="application/rss+xml" />
     <fh:complete/>
@@ -22,14 +22,14 @@
     <lastBuildDate><?= $pub_date ?></lastBuildDate>
     <? foreach ($feed->children as $child): ?>
     <item>
-      <title><?= SafeString::purify($child->title) ?></title>
-      <link><?= SafeString::of($child->item_uri) ?></link>
-      <author><?= SafeString::of($child->author) ?></author>
+      <title><?= html::purify($child->title) ?></title>
+      <link><?= html::clean($child->item_uri) ?></link>
+      <author><?= html::clean($child->author) ?></author>
       <guid isPermaLink="true"><?= $child->item_uri ?></guid>
       <pubDate><?= $child->pub_date ?></pubDate>
       <content:encoded>
         <![CDATA[
-          <p><?= nl2br(SafeString::purify($child->text)) ?></p>
+          <p><?= nl2br(html::purify($child->text)) ?></p>
           <p>
             <img alt="" src="<?= $child->thumb_url ?>"
                  height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" />
diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php
index 9eac0502..1e45c946 100644
--- a/modules/comment/views/comments.html.php
+++ b/modules/comment/views/comments.html.php
@@ -18,16 +18,16 @@
       <a href="#">
         <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
              class="gAvatar"
-             alt="<?= SafeString::of($comment->author_name()) ?>"
+             alt="<?= html::clean($comment->author_name()) ?>"
              width="40"
              height="40" />
       </a>
       <?= t('on %date <a href="#">%name</a> said',
             array("date" => date("Y-M-d H:i:s", $comment->created),
-                  "name" => SafeString::of($comment->author_name()))); ?>
+                  "name" => html::clean($comment->author_name()))); ?>
     </p>
     <div>
-      <?= nl2br(SafeString::purify($comment->text)) ?>
+      <?= nl2br(html::purify($comment->text)) ?>
     </div>
   </li>
   <? endforeach ?>
diff --git a/modules/digibug/controllers/digibug.php b/modules/digibug/controllers/digibug.php
index 509a8b70..0939704b 100644
--- a/modules/digibug/controllers/digibug.php
+++ b/modules/digibug/controllers/digibug.php
@@ -50,7 +50,7 @@ class Digibug_Controller extends Controller {
       "image_width_1" => $item->width,
       "thumb_height_1" => $item->thumb_height,
       "thumb_width_1" => $item->thumb_width,
-      "title_1" => SafeString::purify($item->title));
+      "title_1" => html::purify($item->title));
 
     print $v;
   }
diff --git a/modules/exif/views/exif_dialog.html.php b/modules/exif/views/exif_dialog.html.php
index a981ca09..11d1e212 100644
--- a/modules/exif/views/exif_dialog.html.php
+++ b/modules/exif/views/exif_dialog.html.php
@@ -14,14 +14,14 @@
          <?= $details[$i]["caption"] ?>
          </td>
          <td class="gOdd">
-         <?= SafeString::of($details[$i]["value"]) ?>
+         <?= html::clean($details[$i]["value"]) ?>
          </td>
          <? if (!empty($details[++$i])): ?>
            <td class="gEven">
            <?= $details[$i]["caption"] ?>
            </td>
            <td class="gOdd">
-           <?= SafeString::of($details[$i]["value"]) ?>
+           <?= html::clean($details[$i]["value"]) ?>
            </td>
          <? else: ?>
            <td class="gEven"></td><td class="gOdd"></td>
diff --git a/modules/g2_import/helpers/g2_import.php b/modules/g2_import/helpers/g2_import.php
index a01ca1db..7e5c6f75 100644
--- a/modules/g2_import/helpers/g2_import.php
+++ b/modules/g2_import/helpers/g2_import.php
@@ -590,7 +590,7 @@ class g2_import_Core {
     self::map($g2_comment->getId(), $comment->id);
     return t("Imported comment '%comment' for item with id: %id",
              array("id" => $comment->item_id,
-                   "comment" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50)));
+                   "comment" => text::limit_words(nl2br(html::purify($comment->text)), 50)));
   }
 
   /**
diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php
index d727b654..43c77340 100644
--- a/modules/gallery/controllers/admin_advanced_settings.php
+++ b/modules/gallery/controllers/admin_advanced_settings.php
@@ -46,7 +46,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller {
     module::set_var($module_name, $var_name, Input::instance()->post("value"));
     message::success(
       t("Saved value for %var (%module_name)",
-        array("var" => SafeString::of($var_name), "module_name" => $module_name)));
+        array("var" => html::clean($var_name), "module_name" => $module_name)));
 
     print json_encode(array("result" => "success"));
   }
diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php
index 8fddb563..20731f9c 100644
--- a/modules/gallery/controllers/quick.php
+++ b/modules/gallery/controllers/quick.php
@@ -75,7 +75,7 @@ class Quick_Controller extends Controller {
     access::required("view", $item->parent());
     access::required("edit", $item->parent());
 
-    $msg = t("Made <b>%title</b> this album's cover", array("title" => SafeString::purify($item->title)));
+    $msg = t("Made <b>%title</b> this album's cover", array("title" => html::purify($item->title)));
 
     item::make_album_cover($item);
     message::success($msg);
@@ -91,10 +91,10 @@ class Quick_Controller extends Controller {
     if ($item->is_album()) {
       print t(
         "Delete the album <b>%title</b>? All photos and movies in the album will also be deleted.",
-        array("title" => SafeString::purify($item->title)));
+        array("title" => html::purify($item->title)));
     } else {
       print t("Are you sure you want to delete <b>%title</b>?",
-              array("title" => SafeString::purify($item->title)));
+              array("title" => html::purify($item->title)));
     }
 
     $form = item::get_delete_form($item);
@@ -108,9 +108,9 @@ class Quick_Controller extends Controller {
     access::required("edit", $item);
 
     if ($item->is_album()) {
-      $msg = t("Deleted album <b>%title</b>", array("title" => SafeString::purify($item->title)));
+      $msg = t("Deleted album <b>%title</b>", array("title" => html::purify($item->title)));
     } else {
-      $msg = t("Deleted photo <b>%title</b>", array("title" => SafeString::purify($item->title)));
+      $msg = t("Deleted photo <b>%title</b>", array("title" => html::purify($item->title)));
     }
 
     $parent = $item->parent();
diff --git a/modules/gallery/helpers/MY_html.php b/modules/gallery/helpers/MY_html.php
index eb388811..75114898 100644
--- a/modules/gallery/helpers/MY_html.php
+++ b/modules/gallery/helpers/MY_html.php
@@ -65,11 +65,11 @@ class html extends html_Core {
    *
    * Example:<pre>
    *   <script type="text/javascript>"
-   *     var some_js_var = "<?= html::escape_for_js($php_var) ?>";
+   *     var some_js_var = "<?= html::clean_js($php_var) ?>";
    *   </script>
    * </pre>
    */
-  static function escape_for_js($string) {
+  static function clean_js($string) {
     return SafeString::of($string)->for_js();
   }
 
diff --git a/modules/gallery/helpers/gallery_rss.php b/modules/gallery/helpers/gallery_rss.php
index affb3101..dee6ae40 100644
--- a/modules/gallery/helpers/gallery_rss.php
+++ b/modules/gallery/helpers/gallery_rss.php
@@ -53,9 +53,9 @@ class gallery_rss_Core {
         ->descendants($limit, $offset, array("type" => "photo"));
       $feed->max_pages = ceil(
         $item->viewable()->descendants_count(array("type" => "photo")) / $limit);
-      $feed->title = SafeString::purify($item->title);
+      $feed->title = html::purify($item->title);
       $feed->link = url::abs_site("albums/{$item->id}");
-      $feed->description = nl2br(SafeString::purify($item->description));
+      $feed->description = nl2br(html::purify($item->description));
 
       return $feed;
     }
diff --git a/modules/gallery/helpers/gallery_task.php b/modules/gallery/helpers/gallery_task.php
index 8c0e8aa8..c9557324 100644
--- a/modules/gallery/helpers/gallery_task.php
+++ b/modules/gallery/helpers/gallery_task.php
@@ -64,10 +64,10 @@ class gallery_task_Core {
           if (!$success) {
             $ignored[$item->id] = 1;
             $errors[] = t("Unable to rebuild images for '%title'",
-                          array("title" => SafeString::purify($item->title)));
+                          array("title" => html::purify($item->title)));
           } else {
             $errors[] = t("Successfully rebuilt images for '%title'",
-                          array("title" => SafeString::purify($item->title)));
+                          array("title" => html::purify($item->title)));
           }
         }
 
diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php
index 4d934ad5..a9903256 100644
--- a/modules/gallery/tests/Html_Helper_Test.php
+++ b/modules/gallery/tests/Html_Helper_Test.php
@@ -40,8 +40,8 @@ class Html_Helper_Test extends Unit_Test_Case {
 			$safe_string_2);
   }
 
-  public function escape_for_js_test() {
-    $string = html::escape_for_js("hello's <p  >world</p>");
+  public function clean_js_test() {
+    $string = html::clean_js("hello's <p  >world</p>");
     $this->assert_equal("hello\\'s <p  >world<\\/p>",
 			$string);
   }
diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index 8e5f8354..16e5a856 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -151,7 +151,7 @@ class Xss_Security_Test extends Unit_Test_Case {
 	    if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
 		self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
 		in_array($tokens[$token_number + 2][1],
-			 array("clean", "purify", "escape_for_js", "clean_attribute_test")) &&
+			 array("clean", "purify", "clean_js", "clean_attribute")) &&
 		self::_token_matches("(", $tokens, $token_number + 3)) {
               // Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed).
 
@@ -161,7 +161,7 @@ class Xss_Security_Test extends Unit_Test_Case {
 	      $token_number += 3;
 	      $token = $tokens[$token_number];
 
-              if ("escape_for_js" == $method) {
+              if ("clean_js" == $method) {
                 $frame->is_safe_js(true);
               } else {
                 $frame->is_safe_html(true);
diff --git a/modules/gallery/views/admin_advanced_settings.html.php b/modules/gallery/views/admin_advanced_settings.html.php
index adc15b91..4235e8f8 100644
--- a/modules/gallery/views/admin_advanced_settings.html.php
+++ b/modules/gallery/views/admin_advanced_settings.html.php
@@ -20,13 +20,13 @@
     <? if ($var->module_name == "gallery" && $var->name == "_cache") continue ?>
     <tr class="setting">
       <td> <?= $var->module_name ?> </td>
-      <td> <?= SafeString::of($var->name) ?> </td>
+      <td> <?= html::clean($var->name) ?> </td>
       <td>
-        <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . SafeString::of($var->name)) ?>"
+        <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . html::clean($var->name)) ?>"
           class="gDialogLink"
           title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name)) ?>">
           <? if ($var->value): ?>
-          <?= SafeString::of($var->value) ?>
+          <?= html::clean($var->value) ?>
           <? else: ?>
           <i> <?= t("empty") ?> </i>
           <? endif ?>
diff --git a/modules/gallery/views/admin_block_log_entries.html.php b/modules/gallery/views/admin_block_log_entries.html.php
index b7afb22d..780ff2d0 100644
--- a/modules/gallery/views/admin_block_log_entries.html.php
+++ b/modules/gallery/views/admin_block_log_entries.html.php
@@ -2,7 +2,7 @@
 <ul>
   <? foreach ($entries as $entry): ?>
   <li class="<?= log::severity_class($entry->severity) ?>" style="direction: ltr">
-    <a href="<?= url::site("user/$entry->user_id") ?>"><?= SafeString::of($entry->user->name) ?></a>
+    <a href="<?= url::site("user/$entry->user_id") ?>"><?= html::clean($entry->user->name) ?></a>
     <?= gallery::date_time($entry->timestamp) ?>
     <?= $entry->message ?>
     <?= $entry->html ?>
diff --git a/modules/gallery/views/admin_block_photo_stream.html.php b/modules/gallery/views/admin_block_photo_stream.html.php
index 732bdc38..a50836ad 100644
--- a/modules/gallery/views/admin_block_photo_stream.html.php
+++ b/modules/gallery/views/admin_block_photo_stream.html.php
@@ -2,9 +2,9 @@
 <ul>
 <? foreach ($photos as $photo): ?>
   <li class="gItem gPhoto">
-    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= SafeString::of($photo->title) ?>">
+    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::clean($photo->title) ?>">
       <img <?= photo::img_dimensions($photo->width, $photo->height, 72) ?>
-        src="<?= $photo->thumb_url() ?>" alt="<?= SafeString::of($photo->title) ?>" />
+        src="<?= $photo->thumb_url() ?>" alt="<?= html::clean($photo->title) ?>" />
     </a>
   </li>
 <? endforeach ?>
diff --git a/modules/gallery/views/admin_languages.html.php b/modules/gallery/views/admin_languages.html.php
index 4bee9bb1..052d749b 100644
--- a/modules/gallery/views/admin_languages.html.php
+++ b/modules/gallery/views/admin_languages.html.php
@@ -40,7 +40,7 @@
   </form>
 	
 	<script type="text/javascript">
-    var old_default_locale = "<?= SafeString::of($default_locale)->for_js() ?>";
+    var old_default_locale = "<?= html::escape_for_js($default_locale) ?>";
     
     $("input[name='installed_locales[]']").change(function (event) {
       if (this.checked) {
@@ -57,7 +57,7 @@
       dataType: "json",
       success: function(data) {
         if (data.result == "success") {
-          el = $('<a href="<?= url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")->for_js() ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
+          el = $('<a href="<?= html::escape_for_js(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
           el.gallery_dialog();
           el.trigger('click');
         }
diff --git a/modules/gallery/views/admin_maintenance.html.php b/modules/gallery/views/admin_maintenance.html.php
index a1f7b126..05bc0923 100644
--- a/modules/gallery/views/admin_maintenance.html.php
+++ b/modules/gallery/views/admin_maintenance.html.php
@@ -93,7 +93,7 @@
           <?= $task->status ?>
         </td>
         <td>
-          <?= SafeString::of($task->owner()->name) ?>
+          <?= html::clean($task->owner()->name) ?>
         </td>
         <td>
           <? if ($task->state == "stalled"): ?>
@@ -164,7 +164,7 @@
           <?= $task->status ?>
         </td>
         <td>
-          <?= SafeString::of($task->owner()->name) ?>
+          <?= html::clean($task->owner()->name) ?>
         </td>
         <td>
           <? if ($task->done): ?>
diff --git a/modules/gallery/views/admin_maintenance_show_log.html.php b/modules/gallery/views/admin_maintenance_show_log.html.php
index 209aef03..8ea1beb6 100644
--- a/modules/gallery/views/admin_maintenance_show_log.html.php
+++ b/modules/gallery/views/admin_maintenance_show_log.html.php
@@ -12,7 +12,7 @@ appendTo('body').submit().remove();
 <div id="gTaskLogDialog">
   <h1> <?= $task->name ?> </h1>
   <div class="gTaskLog">
-    <pre><?= SafeString::purify($task->get_log()) ?></pre>
+    <pre><?= html::purify($task->get_log()) ?></pre>
   </div>
   <button id="gCloseButton" class="ui-state-default ui-corner-all" onclick="dismiss()"><?= t("Close") ?></button>
   <button id="gSaveButton" class="ui-state-default ui-corner-all" onclick="download()"><?= t("Save") ?></button>
diff --git a/modules/gallery/views/move_tree.html.php b/modules/gallery/views/move_tree.html.php
index 7818a42a..623f80ee 100644
--- a/modules/gallery/views/move_tree.html.php
+++ b/modules/gallery/views/move_tree.html.php
@@ -1,18 +1,18 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <?= $parent->thumb_img(array(), 25); ?>
 <? if (!access::can("edit", $parent) || $source->is_descendant($parent)): ?>
-<a href="javascript:load_tree('<?= $parent->id ?>',1)"> <?= SafeString::of($parent->title) ?> <?= t("(locked)") ?> </a>
+<a href="javascript:load_tree('<?= $parent->id ?>',1)"> <?= html::clean($parent->title) ?> <?= t("(locked)") ?> </a>
 <? else: ?>
-<a href="javascript:load_tree('<?= $parent->id ?>',0)"> <?= SafeString::of($parent->title) ?></a>
+<a href="javascript:load_tree('<?= $parent->id ?>',0)"> <?= html::clean($parent->title) ?></a>
 <? endif ?>
 <ul id="tree_<?= $parent->id ?>">
   <? foreach ($children as $child): ?>
   <li id="node_<?= $child->id ?>" class="node">
     <?= $child->thumb_img(array(), 25); ?>
     <? if (!access::can("edit", $child) || $source->is_descendant($child)): ?>
-    <a href="javascript:load_tree('<?= $child->id ?>',1)"> <?= SafeString::of($child->title) ?> <?= t("(locked)") ?></a>
+    <a href="javascript:load_tree('<?= $child->id ?>',1)"> <?= html::clean($child->title) ?> <?= t("(locked)") ?></a>
     <? else: ?>
-    <a href="javascript:load_tree('<?= $child->id ?>',0)"> <?= SafeString::of($child->title) ?> </a>
+    <a href="javascript:load_tree('<?= $child->id ?>',0)"> <?= html::clean($child->title) ?> </a>
     <? endif ?>
   </li>
   <? endforeach ?>
diff --git a/modules/gallery/views/permissions_browse.html.php b/modules/gallery/views/permissions_browse.html.php
index 90970112..d9395b3f 100644
--- a/modules/gallery/views/permissions_browse.html.php
+++ b/modules/gallery/views/permissions_browse.html.php
@@ -39,13 +39,13 @@
     <? foreach ($parents as $parent): ?>
     <li id="item-<?= $parent->id ?>">
       <a href="javascript:show(<?= $parent->id ?>)">
-        <?= SafeString::purify($parent->title) ?>
+        <?= html::purify($parent->title) ?>
       </a>
     </li>
     <? endforeach ?>
     <li class="active" id="item-<?= $item->id ?>">
       <a href="javascript:show(<?= $item->id ?>)">
-    	<?= SafeString::purify($item->title) ?>
+    	<?= html::purify($item->title) ?>
       </a>
     </li>
   </ul>
diff --git a/modules/gallery/views/permissions_form.html.php b/modules/gallery/views/permissions_form.html.php
index adc0496f..e6b217c5 100644
--- a/modules/gallery/views/permissions_form.html.php
+++ b/modules/gallery/views/permissions_form.html.php
@@ -6,7 +6,7 @@
     <tr>
       <th> </th>
       <? foreach ($groups as $group): ?>
-      <th> <?= SafeString::of($group->name) ?> </th>
+      <th> <?= html::clean($group->name) ?> </th>
       <? endforeach ?>
     </tr>
 
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index 1f185780..b136972a 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -6,7 +6,7 @@
 <!-- hack to set the title for the dialog -->
 <form id="gAddPhotosForm" action="<?= url::site("simple_uploader/finish?csrf=$csrf") ?>">
   <fieldset>
-    <legend> <?= t("Add photos to %album_title", array("album_title" => SafeString::purify($item->title))) ?> </legend>
+    <legend> <?= t("Add photos to %album_title", array("album_title" => html::purify($item->title))) ?> </legend>
   </fieldset>
 </form>
 
@@ -26,9 +26,9 @@
   </p>
   <ul class="gBreadcrumbs">
     <? foreach ($item->parents() as $parent): ?>
-    <li> <?= SafeString::of($parent->title) ?> </li>
+    <li> <?= html::clean($parent->title) ?> </li>
     <? endforeach ?>
-    <li class="active"> <?= SafeString::purify($item->title) ?> </li>
+    <li class="active"> <?= html::purify($item->title) ?> </li>
   </ul>
 
   <p>
@@ -82,13 +82,13 @@
 
 <script type="text/javascript">
   var swfu = new SWFUpload({
-    flash_url: "<?= url::file("lib/swfupload/swfupload.swf")->for_js() ?>",
-    upload_url: "<?= url::site("simple_uploader/add_photo/$item->id")->for_js() ?>",
+    flash_url: "<?= html::escape_for_js(url::file("lib/swfupload/swfupload.swf")) ?>",
+    upload_url: "<?= html::escape_for_js(url::site("simple_uploader/add_photo/$item->id")) ?>",
     post_params: <?= json_encode(array(
       "g3sid" => Session::instance()->id(),
       "user_agent" => Input::instance()->server("HTTP_USER_AGENT"),
       "csrf" => $csrf)) ?>,
-    file_size_limit: "<?= SafeString::of(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")->for_js() ?>",
+    file_size_limit: "<?= html::escape_for_js(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")) ?>",
     file_types: "*.gif;*.jpg;*.jpeg;*.png;*.flv;*.mp4;*.GIF;*.JPG;*.JPEG;*.PNG;*.FLV;*.MP4",
     file_types_description: "<?= t("Photos and Movies")->for_js() ?>",
     file_upload_limit: 1000,
@@ -97,7 +97,7 @@
     debug: false,
 
     // Button settings
-    button_image_url: "<?= url::file("themes/default/images/select-photos-backg.png")->for_js() ?>",
+    button_image_url: "<?= html::escape_for_js(url::file("themes/default/images/select-photos-backg.png")) ?>",
     button_width: "202",
     button_height: "45",
     button_placeholder_id: "gChooseFilesButtonPlaceholder",
diff --git a/modules/info/views/info_block.html.php b/modules/info/views/info_block.html.php
index bfaaee99..d8f36984 100644
--- a/modules/info/views/info_block.html.php
+++ b/modules/info/views/info_block.html.php
@@ -2,18 +2,18 @@
 <ul class="gMetadata">
   <li>
     <strong class="caption"><?= t("Title:") ?></strong>
-    <?= SafeString::purify($item->title) ?>
+    <?= html::purify($item->title) ?>
   </li>
   <? if ($item->description): ?>
   <li>
     <strong class="caption"><?= t("Description:") ?></strong>
-     <?= nl2br(SafeString::purify($item->description)) ?>
+     <?= nl2br(html::purify($item->description)) ?>
   </li>
   <? endif ?>
   <? if (!$item->is_album()): ?>
   <li>
     <strong class="caption"><?= t("File name:") ?></strong>
-    <?= SafeString::of($item->name) ?>
+    <?= html::clean($item->name) ?>
   </li>
   <? endif ?>
   <? if ($item->captured): ?>
@@ -26,9 +26,9 @@
   <li>
     <strong class="caption"><?= t("Owner:") ?></strong>
     <? if ($item->owner->url): ?>
-    <a href="<?= $item->owner->url ?>"><?= SafeString::of($item->owner->display_name()) ?></a>
+    <a href="<?= $item->owner->url ?>"><?= html::clean($item->owner->display_name()) ?></a>
     <? else: ?>
-    <?= SafeString::of($item->owner->display_name()) ?>
+    <?= html::clean($item->owner->display_name()) ?>
     <? endif ?>
   </li>
   <? endif ?>
diff --git a/modules/notification/views/comment_published.html.php b/modules/notification/views/comment_published.html.php
index 02daf921..e39e39c6 100644
--- a/modules/notification/views/comment_published.html.php
+++ b/modules/notification/views/comment_published.html.php
@@ -1,26 +1,26 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= SafeString::of($subject) ?></h2>
+    <h2><?= html::clean($subject) ?></h2>
     <table>
       <tr>
         <td><?= t("Comment:") ?></td>
-  <td><?= nl2br(SafeString::purify($comment->text)) ?></td>
+  <td><?= nl2br(html::purify($comment->text)) ?></td>
       </tr>
       <tr>
         <td><?= t("Author Name:") ?></td>
-        <td><?= SafeString::of($comment->author_name()) ?></td>
+        <td><?= html::clean($comment->author_name()) ?></td>
       </tr>
       <tr>
         <td><?= t("Author Email:") ?></td>
-        <td><?= SafeString::of($comment->author_email()) ?></td>
+        <td><?= html::clean($comment->author_email()) ?></td>
       </tr>
       <tr>
         <td><?= t("Author URL:") ?></td>
-        <td><?= SafeString::of($comment->author_url()) ?></td>
+        <td><?= html::clean($comment->author_url()) ?></td>
       </tr>
       <tr>
         <td><?= t("Url:") ?></td>
diff --git a/modules/notification/views/item_added.html.php b/modules/notification/views/item_added.html.php
index 70b8fca4..f697fea6 100644
--- a/modules/notification/views/item_added.html.php
+++ b/modules/notification/views/item_added.html.php
@@ -1,14 +1,14 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= SafeString::of($subject) ?></h2>
+    <h2><?= html::clean($subject) ?></h2>
     <table>
       <tr>
         <td><?= t("Title:") ?></td>
-        <td><?= SafeString::purify($item->title) ?></td>
+        <td><?= html::purify($item->title) ?></td>
       </tr>
       <tr>
         <td><?= t("Url:") ?></td>
@@ -21,7 +21,7 @@
       <? if ($item->description): ?>
       <tr>
         <td><?= t("Description:") ?></td>
-         <td><?= nl2br(SafeString::purify($item->description)) ?></td>
+         <td><?= nl2br(html::purify($item->description)) ?></td>
       </tr>
       <? endif ?>
     </table>
diff --git a/modules/notification/views/item_deleted.html.php b/modules/notification/views/item_deleted.html.php
index e04fc71b..a51782ff 100644
--- a/modules/notification/views/item_deleted.html.php
+++ b/modules/notification/views/item_deleted.html.php
@@ -1,15 +1,15 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= SafeString::of($subject) ?></h2>
+    <h2><?= html::clean($subject) ?></h2>
     <table>
       <tr>
         <td colspan="2">
           <?= t("To view the changed album %title use the link below.",
-              array("title" => SafeString::purify($item->parent()->title))) ?>
+              array("title" => html::purify($item->parent()->title))) ?>
         </td>
       </tr>
       <tr>
diff --git a/modules/notification/views/item_updated.html.php b/modules/notification/views/item_updated.html.php
index c3a4f795..ba03540a 100644
--- a/modules/notification/views/item_updated.html.php
+++ b/modules/notification/views/item_updated.html.php
@@ -1,18 +1,18 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= SafeString::of($subject) ?> </title>
+    <title><?= html::clean($subject) ?> </title>
   </head>
   <body>
-    <h2> <?= SafeString::of($subject) ?> </h2>
+    <h2> <?= html::clean($subject) ?> </h2>
     <table>
       <tr>
         <? if ($item->original("title") != $item->title): ?>
         <td><?= t("New Title:") ?></td>
-        <td><?= SafeString::of($item->title) ?></td>
+        <td><?= html::clean($item->title) ?></td>
         <? else: ?>
         <td><?= t("Title:") ?></td>
-        <td><?= SafeString::of($item->title) ?></td>
+        <td><?= html::clean($item->title) ?></td>
         <? endif ?>
       </tr>
       <tr>
@@ -22,12 +22,12 @@
       <? if ($item->original("description") != $item->description): ?>
       <tr>
         <td><?= t("New Description:") ?></td>
-        <td><?= SafeString::of($item->description) ?></td>
+        <td><?= html::clean($item->description) ?></td>
       </tr>
       <? elseif (!empty($item->description)): ?>
       <tr>
         <td><?= t("Description:") ?></td>
-        <td><?= SafeString::of($item->description) ?></td>
+        <td><?= html::clean($item->description) ?></td>
       </tr>
       <? endif ?>
     </table>
diff --git a/modules/organize/views/organize_dialog.html.php b/modules/organize/views/organize_dialog.html.php
index 27d5b508..857499aa 100644
--- a/modules/organize/views/organize_dialog.html.php
+++ b/modules/organize/views/organize_dialog.html.php
@@ -5,7 +5,7 @@
   var sort_order_url = "<?= url::site("organize/sort_order/__ALBUM_ID__/__COL__/__DIR__?csrf=$csrf") ?>";
 </script>
 <div id="gOrganize" class="gDialogPanel">
-  <h1 style="display:none"><?= t("Organize %name", array("name" => SafeString::purify($album->title))) ?></h1>
+  <h1 style="display:none"><?= t("Organize %name", array("name" => html::purify($album->title))) ?></h1>
   <div id="bd">
     <div class="yui-gf">
       <div class="yui-u first">
diff --git a/modules/organize/views/organize_tree.html.php b/modules/organize/views/organize_tree.html.php
index 387d5977..5b676889 100644
--- a/modules/organize/views/organize_tree.html.php
+++ b/modules/organize/views/organize_tree.html.php
@@ -5,7 +5,7 @@
   <span class="ui-icon ui-icon-minus">
   </span>
   <span class="gAlbumText" ref="<?= $parent->id ?>">
-    <?= SafeString::of($parent->title) ?>
+    <?= html::clean($parent->title) ?>
   </span>
   <ul class="ui-icon-plus">
     <? endforeach ?>
@@ -17,7 +17,7 @@
       </span>
       <span class="gAlbumText <?= $peer->id == $album->id ? "selected" : "" ?>"
             ref="<?= $peer->id ?>">
-        <?= SafeString::of($peer->title) ?>
+        <?= html::clean($peer->title) ?>
       </span>
 
       <? if ($peer->id == $album->id): ?>
@@ -29,7 +29,7 @@
           </span>
           <span class="gAlbumText"
                 ref="<?= $child->id ?>">
-            <?= SafeString::of($child->title) ?>
+            <?= html::clean($child->title) ?>
           </span>
         </li>
         <? endforeach ?>
diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php
index 7298b7f4..731703c7 100644
--- a/modules/rss/views/feed.mrss.php
+++ b/modules/rss/views/feed.mrss.php
@@ -6,9 +6,9 @@
    xmlns:fh="http://purl.org/syndication/history/1.0">
   <channel>
     <generator>gallery3</generator>
-    <title><?= SafeString::of($feed->title) ?></title>
+    <title><?= html::clean($feed->title) ?></title>
     <link><?= $feed->uri ?></link>
-    <description><?= SafeString::of($feed->description) ?></description>
+    <description><?= html::clean($feed->description) ?></description>
     <language>en-us</language>
     <atom:link rel="self" href="<?= $feed->uri ?>" type="application/rss+xml" />
     <fh:complete/>
@@ -22,25 +22,25 @@
     <lastBuildDate><?= $pub_date ?></lastBuildDate>
     <? foreach ($feed->children as $child): ?>
     <item>
-      <title><?= SafeString::of($child->title) ?></title>
+      <title><?= html::clean($child->title) ?></title>
       <link><?= url::abs_site("{$child->type}s/{$child->id}") ?></link>
       <guid isPermaLink="true"><?= url::abs_site("{$child->type}s/{$child->id}") ?></guid>
       <pubDate><?= date("D, d M Y H:i:s T", $child->created); ?></pubDate>
       <content:encoded>
         <![CDATA[
-          <span><?= SafeString::of($child->description) ?></span>
+          <span><?= html::clean($child->description) ?></span>
           <p>
           <? if ($child->type == "photo" || $child->type == "album"): ?>
             <img alt="" src="<?= $child->resize_url(true) ?>"
-                 title="<?= SafeString::of($child->title) ?>"
+                 title="<?= html::clean($child->title) ?>"
                  height="<?= $child->resize_height ?>" width="<?= $child->resize_width ?>" /><br />
           <? else: ?>
             <a href="<?= url::abs_site("{$child->type}s/{$child->id}") ?>">
             <img alt="" src="<?= $child->thumb_url(true) ?>"
-                 title="<?= SafeString::of($child->title) ?>"
+                 title="<?= html::clean($child->title) ?>"
                  height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" /></a><br />
           <? endif ?>
-            <?= SafeString::of($child->description) ?>
+            <?= html::clean($child->description) ?>
           </p>
         ]]>
       </content:encoded>
diff --git a/modules/rss/views/rss_block.html.php b/modules/rss/views/rss_block.html.php
index cd8db89d..737731b6 100644
--- a/modules/rss/views/rss_block.html.php
+++ b/modules/rss/views/rss_block.html.php
@@ -5,7 +5,7 @@
     <span class="ui-icon-left">
     <a href="<?= rss::url($url) ?>">
       <span class="ui-icon ui-icon-signal-diag"></span>
-      <?= SafeString::purify($title) ?>
+      <?= html::purify($title) ?>
     </a>
     </span>
   </li>
diff --git a/modules/search/views/search.html.php b/modules/search/views/search.html.php
index e5c7b4a6..7963948d 100644
--- a/modules/search/views/search.html.php
+++ b/modules/search/views/search.html.php
@@ -8,7 +8,7 @@
     <ul>
       <li>
         <label for="q"><?= t("Search the gallery") ?></label>
-        <input name="q" id="q" type="text" value="<?= SafeString::of($q)->for_html_attr() ?>"/>
+        <input name="q" id="q" type="text" value="<?= html::clean_attribute($q) ?>"/>
       </li>
       <li>
         <input type="submit" value="<?= t("Search")->for_html_attr() ?>" />
@@ -31,10 +31,10 @@
       <a href="<?= url::site("items/$item->id") ?>">
         <?= $item->thumb_img() ?>
         <p>
-    <?= SafeString::purify($item->title) ?>
+    <?= html::purify($item->title) ?>
         </p>
         <div>
-    <?= nl2br(SafeString::purify($item->description)) ?>
+    <?= nl2br(html::purify($item->description)) ?>
         </div>
       </a>
     </li>
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index c4439bda..b48a19da 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -16,7 +16,7 @@
            class="gRemoveDir ui-icon ui-icon-trash">
           X
         </a>
-        <?= SafeString::of($path) ?>
+        <?= html::clean($path) ?>
       </li>
       <? endforeach ?>
     </ul>
diff --git a/modules/server_add/views/server_add_tree.html.php b/modules/server_add/views/server_add_tree.html.php
index 2f65a590..dbae42c5 100644
--- a/modules/server_add/views/server_add_tree.html.php
+++ b/modules/server_add/views/server_add_tree.html.php
@@ -10,7 +10,7 @@
     <li class="ui-icon-left">
       <span class="ui-icon ui-icon-folder-open"></span>
       <span ondblclick="open_dir('<?= $dir ?>')">
-        <?= SafeString::of(basename($dir)) ?>
+        <?= html::clean(basename($dir)) ?>
       </span>
       <ul>
         <? endforeach ?>
@@ -24,7 +24,7 @@
                 <? endif ?>
                 file="<?= strtr($file, array('"' => '\\"')) ?>"
                 >
-            <?= SafeString::of(basename($file)) ?>
+            <?= html::clean(basename($file)) ?>
           </span>
         </li>
         <? endforeach ?>
diff --git a/modules/server_add/views/server_add_tree_dialog.html.php b/modules/server_add/views/server_add_tree_dialog.html.php
index 912e69b6..8eb6e4df 100644
--- a/modules/server_add/views/server_add_tree_dialog.html.php
+++ b/modules/server_add/views/server_add_tree_dialog.html.php
@@ -5,17 +5,17 @@
 </script>
 
 <div id="gServerAdd">
-  <h1 style="display: none;"><?= t("Add Photos to '%title'", array("title" => SafeString::purify($item->title))) ?></h1>
+  <h1 style="display: none;"><?= t("Add Photos to '%title'", array("title" => html::purify($item->title))) ?></h1>
 
   <p id="gDescription"><?= t("Photos will be added to album:") ?></p>
   <ul class="gBreadcrumbs">
     <? foreach ($item->parents() as $parent): ?>
     <li>
-      <?= SafeString::purify($parent->title) ?>
+      <?= html::purify($parent->title) ?>
     </li>
     <? endforeach ?>
     <li class="active">
-      <?= SafeString::purify($item->title) ?>
+      <?= html::purify($item->title) ?>
     </li>
   </ul>
 
diff --git a/modules/tag/controllers/admin_tags.php b/modules/tag/controllers/admin_tags.php
index f1b4ca3a..8b8dde21 100644
--- a/modules/tag/controllers/admin_tags.php
+++ b/modules/tag/controllers/admin_tags.php
@@ -106,7 +106,7 @@ class Admin_Tags_Controller extends Admin_Controller {
         array("result" => "success",
               "location" => url::site("admin/tags"),
               "tag_id" => $tag->id,
-              "new_tagname" => SafeString::of($tag->name)));
+              "new_tagname" => html::clean($tag->name)));
     } else {
       print json_encode(
         array("result" => "error",
diff --git a/modules/tag/views/admin_tags.html.php b/modules/tag/views/admin_tags.html.php
index 30dd0728..3d805c5e 100644
--- a/modules/tag/views/admin_tags.html.php
+++ b/modules/tag/views/admin_tags.html.php
@@ -32,7 +32,7 @@
           <? $current_letter = strtoupper(mb_substr($tag->name, 0, 1)) ?>
 
           <? if ($i == 0): /* first letter */ ?>
-            <strong><?= SafeString::of($current_letter) ?></strong>
+            <strong><?= html::clean($current_letter) ?></strong>
             <ul>
           <? elseif ($last_letter != $current_letter): /* new letter */ ?>
             <? if ($column_tag_count > $tags_per_column): /* new column */ ?>
@@ -42,12 +42,12 @@
             <? endif ?>
 
             </ul>
-            <strong><?= SafeString::of($current_letter) ?></strong>
+            <strong><?= html::clean($current_letter) ?></strong>
             <ul>
           <? endif ?>
 
           <li>
-            <span id="gTag-<?= $tag->id ?>" class="gEditable tag-name"><?= SafeString::of($tag->name) ?></span>
+            <span id="gTag-<?= $tag->id ?>" class="gEditable tag-name"><?= html::clean($tag->name) ?></span>
             <span class="understate">(<?= $tag->count ?>)</span>
             <a href="<?= url::site("admin/tags/form_delete/$tag->id") ?>"
                class="gDialogLink delete-link gButtonLink">
diff --git a/modules/tag/views/tag_cloud.html.php b/modules/tag/views/tag_cloud.html.php
index b4c6ae34..d6a0b5f8 100644
--- a/modules/tag/views/tag_cloud.html.php
+++ b/modules/tag/views/tag_cloud.html.php
@@ -3,7 +3,7 @@
   <? foreach ($tags as $tag): ?>
   <li class="size<?=(int)(($tag->count / $max_count) * 7) ?>">
     <span><?= $tag->count ?> photos are tagged with </span>
-    <a href="<?= url::site("tags/$tag->id") ?>"><?= SafeString::of($tag->name) ?></a>
+    <a href="<?= url::site("tags/$tag->id") ?>"><?= html::clean($tag->name) ?></a>
   </li>
   <? endforeach ?>
 </ul>
diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php
index 4b141a1c..fc3ced56 100644
--- a/modules/user/controllers/logout.php
+++ b/modules/user/controllers/logout.php
@@ -24,7 +24,7 @@ class Logout_Controller extends Controller {
     $user = user::active();
     user::logout();
     log::info("user", t("User %name logged out", array("name" => $user->name)),
-              html::anchor("user/$user->id", SafeString::of($user->name)));
+              html::anchor("user/$user->id", html::clean($user->name)));
     if ($continue_url = $this->input->get("continue")) {
       $item = url::get_item_from_uri($continue_url);
       if (access::can("view", $item)) {
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 36c4f4fd..9455f9d9 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -68,16 +68,16 @@
         <td id="user-<?= $user->id ?>" class="core-info gDraggable">
           <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>"
                title="<?= t("Drag user onto group below to add as a new member") ?>"
-               alt="<?= SafeString::of($user->name) ?>"
+               alt="<?= html::clean($user->name) ?>"
                width="20"
                height="20" />
-          <?= SafeString::of($user->name) ?>
+          <?= html::clean($user->name) ?>
         </td>
         <td>
-          <?= SafeString::of($user->full_name) ?>
+          <?= html::clean($user->full_name) ?>
         </td>
         <td>
-          <?= SafeString::of($user->email) ?>
+          <?= html::clean($user->email) ?>
         </td>
         <td>
           <?= ($user->last_login == 0) ? "" : gallery::date($user->last_login) ?>
diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php
index f89a4392..8418ebc9 100644
--- a/modules/user/views/admin_users_group.html.php
+++ b/modules/user/views/admin_users_group.html.php
@@ -1,6 +1,6 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <h4>
-  <?= SafeString::of($group->name) ?>
+  <?= html::clean($group->name) ?>
   <? if (!$group->special): ?>
   <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
     title="<?= t("Delete the %name group", array("name" => $group->name)) ?>"
@@ -17,7 +17,7 @@
 <ul>
   <? foreach ($group->users as $i => $user): ?>
   <li class="gUser">
-    <?= SafeString::of($user->name) ?>
+    <?= html::clean($user->name) ?>
     <? if (!$group->special): ?>
     <a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)"
        class="gButtonLink ui-state-default ui-corner-all ui-icon-left"
diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php
index e92513e7..85f673ce 100644
--- a/modules/user/views/login.html.php
+++ b/modules/user/views/login.html.php
@@ -12,7 +12,7 @@
       '<a href="' . url::site("form/edit/users/{$user->id}") .
       '" title="' . t("Edit Your Profile")->for_html_attr() .
       '" id="gUserProfileLink" class="gDialogLink">' .
-      SafeString::of($user->display_name()) . '</a>'))) ?>
+      html::clean($user->display_name()) . '</a>'))) ?>
   </li>
   <li>
     <a href="<?= url::site("logout?csrf=$csrf&amp;continue=" . urlencode(url::current(true))) ?>"
diff --git a/themes/default/views/album.html.php b/themes/default/views/album.html.php
index 8c690f5f..caabeee3 100644
--- a/themes/default/views/album.html.php
+++ b/themes/default/views/album.html.php
@@ -2,8 +2,8 @@
 <? // @todo Set hover on AlbumGrid list items for guest users ?>
 <div id="gInfo">
   <?= $theme->album_top() ?>
-  <h1><?= SafeString::purify($item->title) ?></h1>
-  <div class="gDescription"><?= nl2br(SafeString::purify($item->description)) ?></div>
+  <h1><?= html::purify($item->title) ?></h1>
+  <div class="gDescription"><?= nl2br(html::purify($item->description)) ?></div>
 </div>
 
 <ul id="gAlbumGrid">
@@ -20,7 +20,7 @@
     </a>
     <?= $theme->thumb_bottom($child) ?>
     <?= $theme->context_menu($child, "#gItemId-{$child->id} .gThumbnail") ?>
-    <h2><span></span><a href="<?= $child->url() ?>"><?= SafeString::of($child->title) ?></a></h2>
+    <h2><span></span><a href="<?= $child->url() ?>"><?= html::clean($child->title) ?></a></h2>
     <ul class="gMetadata">
       <?= $theme->thumb_info($child) ?>
     </ul>
diff --git a/themes/default/views/dynamic.html.php b/themes/default/views/dynamic.html.php
index 2d8e04a2..9ed9d69b 100644
--- a/themes/default/views/dynamic.html.php
+++ b/themes/default/views/dynamic.html.php
@@ -3,7 +3,7 @@
   <div id="gAlbumHeaderButtons">
     <?= $theme->dynamic_top() ?>
   </div>
-  <h1><?= SafeString::of($title) ?></h1>
+  <h1><?= html::clean($title) ?></h1>
 </div>
 
 <ul id="gAlbumGrid">
@@ -16,7 +16,7 @@
            width="<?= $child->thumb_width ?>"
            height="<?= $child->thumb_height ?>" />
     </a>
-    <h2><?= SafeString::purify($child->title) ?></h2>
+    <h2><?= html::purify($child->title) ?></h2>
     <?= $theme->thumb_bottom($child) ?>
     <ul class="gMetadata">
       <?= $theme->thumb_info($child) ?>
diff --git a/themes/default/views/header.html.php b/themes/default/views/header.html.php
index 9e34401d..dcfa6fd8 100644
--- a/themes/default/views/header.html.php
+++ b/themes/default/views/header.html.php
@@ -19,10 +19,10 @@
   <? foreach ($parents as $parent): ?>
   <li>
     <a href="<?= url::site("albums/{$parent->id}?show=$item->id") ?>">
-      <?= SafeString::purify($parent->title) ?>
+      <?= html::purify($parent->title) ?>
     </a>
   </li>
   <? endforeach ?>
-  <li class="active"><?= SafeString::purify($item->title) ?></li>
+  <li class="active"><?= html::purify($item->title) ?></li>
 </ul>
 <? endif ?>
diff --git a/themes/default/views/movie.html.php b/themes/default/views/movie.html.php
index 237743b7..910814dd 100644
--- a/themes/default/views/movie.html.php
+++ b/themes/default/views/movie.html.php
@@ -28,8 +28,8 @@
   <?= $item->movie_img(array("class" => "gMovie", "id" => "gMovieId-{$item->id}")) ?>
 
   <div id="gInfo">
-    <h1><?= SafeString::purify($item->title) ?></h1>
-       <div><?= nl2br(SafeString::purify($item->description)) ?></div>
+    <h1><?= html::purify($item->title) ?></h1>
+       <div><?= nl2br(html::purify($item->description)) ?></div>
   </div>
 
   <?= $theme->photo_bottom() ?>
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 5b5cb12b..c601c4cc 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -5,7 +5,7 @@
 <script>
   $(document).ready(function() {
     $(".gFullSizeLink").click(function() {
-      $.gallery_show_full_size("<?= $theme->item()->file_url()->for_js() ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
+      $.gallery_show_full_size("<?= html::escape_for_js($theme->item()->file_url()) ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
       return false;
     });
   });
@@ -51,8 +51,8 @@
   </div>
 
   <div id="gInfo">
-    <h1><?= SafeString::purify($item->title) ?></h1>
-    <div><?= nl2br(SafeString::purify($item->description)) ?></div>
+    <h1><?= html::purify($item->title) ?></h1>
+    <div><?= nl2br(html::purify($item->description)) ?></div>
   </div>
 
   <?= $theme->photo_bottom() ?>
-- 
cgit v1.2.3


From 8c3a2db3803ccaa3572f0bf061ca7faf62f13fca Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Mon, 31 Aug 2009 21:28:37 -0700
Subject: Fix typo in description

---
 modules/rss/module.info | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/rss')

diff --git a/modules/rss/module.info b/modules/rss/module.info
index 81ee7848..48375da1 100644
--- a/modules/rss/module.info
+++ b/modules/rss/module.info
@@ -1,3 +1,3 @@
 name = "RSS"
-description = "Provide a RSS feeds"
+description = "Provides RSS feeds"
 version = 1
-- 
cgit v1.2.3


From 2bc73e2e36fefc3c1ee1b8e97e686c6729e58dcb Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Mon, 31 Aug 2009 21:51:57 -0700
Subject: Fix XSS vectors in HTML attributes (mostly t() calls)

---
 .../views/admin_block_recent_comments.html.php     |  2 +-
 modules/comment/views/admin_comments.html.php      |  2 +-
 modules/comment/views/comment.html.php             |  2 +-
 modules/comment/views/comments.html.php            |  2 +-
 modules/exif/views/exif_sidebar.html.php           |  2 +-
 .../gallery/views/admin_advanced_settings.html.php |  2 +-
 .../views/admin_block_photo_stream.html.php        |  4 +--
 modules/gallery/views/admin_modules.html.php       |  2 +-
 modules/gallery/views/admin_themes.html.php        | 12 +++----
 modules/gallery/views/after_install.html.php       |  2 +-
 .../gallery/views/after_install_loader.html.php    |  2 +-
 modules/gallery/views/l10n_client.html.php         |  2 +-
 modules/gallery/views/move_browse.html.php         |  2 +-
 modules/gallery/views/permissions_form.html.php    | 42 +++++++++++-----------
 modules/gallery/views/simple_uploader.html.php     |  2 +-
 modules/rss/views/feed.mrss.php                    | 10 +++---
 modules/search/views/search_link.html.php          |  2 +-
 modules/user/views/admin_users.html.php            | 10 +++---
 modules/user/views/admin_users_group.html.php      |  6 ++--
 modules/user/views/login.html.php                  |  2 +-
 modules/watermark/views/admin_watermarks.html.php  |  6 ++--
 themes/admin_default/views/admin.html.php          |  2 +-
 themes/default/views/page.html.php                 |  4 +--
 themes/default/views/photo.html.php                |  2 +-
 24 files changed, 63 insertions(+), 63 deletions(-)

(limited to 'modules/rss')

diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php
index dc3975e0..2afa5bf8 100644
--- a/modules/comment/views/admin_block_recent_comments.html.php
+++ b/modules/comment/views/admin_block_recent_comments.html.php
@@ -4,7 +4,7 @@
   <li class="<?= ($i % 2 == 0) ? "gEvenRow" : "gOddRow" ?>">
     <img src="<?= $comment->author()->avatar_url(32, $theme->url("images/avatar.jpg", true)) ?>"
          class="gAvatar"
-         alt="<?= html::clean($comment->author_name()) ?>"
+         alt="<?= html::clean_attribute($comment->author_name()) ?>"
          width="32"
          height="32" />
     <?= gallery::date_time($comment->created) ?>
diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php
index 588c3ebc..f5970ae1 100644
--- a/modules/comment/views/admin_comments.html.php
+++ b/modules/comment/views/admin_comments.html.php
@@ -122,7 +122,7 @@
             <a href="<?= $item->url() ?>">
               <? if ($item->has_thumb()): ?>
               <img src="<?= $item->thumb_url() ?>"
-                 alt="<?= html::purify($item->title) ?>"
+                 alt="<?= html::purify($item->title)->for_html_attr() ?>"
                  <?= photo::img_dimensions($item->thumb_width, $item->thumb_height, 75) ?>
               />
               <? else: ?>
diff --git a/modules/comment/views/comment.html.php b/modules/comment/views/comment.html.php
index 1d0786cb..ce4e197d 100644
--- a/modules/comment/views/comment.html.php
+++ b/modules/comment/views/comment.html.php
@@ -4,7 +4,7 @@
     <a href="#">
       <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
            class="gAvatar"
-           alt="<?= html::clean($comment->author_name()) ?>"
+           alt="<?= html::clean_attribute($comment->author_name()) ?>"
            width="40"
            height="40" />
     </a>
diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php
index 1e45c946..b7ebdf3a 100644
--- a/modules/comment/views/comments.html.php
+++ b/modules/comment/views/comments.html.php
@@ -18,7 +18,7 @@
       <a href="#">
         <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
              class="gAvatar"
-             alt="<?= html::clean($comment->author_name()) ?>"
+             alt="<?= html::clean_attribute($comment->author_name()) ?>"
              width="40"
              height="40" />
       </a>
diff --git a/modules/exif/views/exif_sidebar.html.php b/modules/exif/views/exif_sidebar.html.php
index ee528613..60c0e1d4 100644
--- a/modules/exif/views/exif_sidebar.html.php
+++ b/modules/exif/views/exif_sidebar.html.php
@@ -1,5 +1,5 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<a id="gExifDataLink" href="<?= url::site("exif/show/{$item->id}") ?>" title="<?= t("Photo Details") ?>"
+<a id="gExifDataLink" href="<?= url::site("exif/show/{$item->id}") ?>" title="<?= t("Photo Details")->for_html_attr() ?>"
   class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all">
   <span class="ui-icon ui-icon-info"></span>
   <?= t("View more information") ?>
diff --git a/modules/gallery/views/admin_advanced_settings.html.php b/modules/gallery/views/admin_advanced_settings.html.php
index 4235e8f8..c3595da5 100644
--- a/modules/gallery/views/admin_advanced_settings.html.php
+++ b/modules/gallery/views/admin_advanced_settings.html.php
@@ -24,7 +24,7 @@
       <td>
         <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . html::clean($var->name)) ?>"
           class="gDialogLink"
-          title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name)) ?>">
+          title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name))->for_html_attr() ?>">
           <? if ($var->value): ?>
           <?= html::clean($var->value) ?>
           <? else: ?>
diff --git a/modules/gallery/views/admin_block_photo_stream.html.php b/modules/gallery/views/admin_block_photo_stream.html.php
index a50836ad..1b9d8ff5 100644
--- a/modules/gallery/views/admin_block_photo_stream.html.php
+++ b/modules/gallery/views/admin_block_photo_stream.html.php
@@ -2,9 +2,9 @@
 <ul>
 <? foreach ($photos as $photo): ?>
   <li class="gItem gPhoto">
-    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::clean($photo->title) ?>">
+    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::purify($photo->title)->for_html_attr() ?>">
       <img <?= photo::img_dimensions($photo->width, $photo->height, 72) ?>
-        src="<?= $photo->thumb_url() ?>" alt="<?= html::clean($photo->title) ?>" />
+        src="<?= $photo->thumb_url() ?>" alt="<?= html::purify($photo->title)->for_html_attr() ?>" />
     </a>
   </li>
 <? endforeach ?>
diff --git a/modules/gallery/views/admin_modules.html.php b/modules/gallery/views/admin_modules.html.php
index 168e20d0..9cf03cb3 100644
--- a/modules/gallery/views/admin_modules.html.php
+++ b/modules/gallery/views/admin_modules.html.php
@@ -27,6 +27,6 @@
       <? $i++ ?>
       <? endforeach ?>
     </table>
-    <input type="submit" value="<?= t("Update") ?>"/>
+    <input type="submit" value="<?= t("Update")->for_html_attr() ?>"/>
   </form>
 </div>
diff --git a/modules/gallery/views/admin_themes.html.php b/modules/gallery/views/admin_themes.html.php
index dc13a6a0..0aac4717 100644
--- a/modules/gallery/views/admin_themes.html.php
+++ b/modules/gallery/views/admin_themes.html.php
@@ -16,7 +16,7 @@
   <h2> <?= t("Gallery theme") ?> </h2>
   <div class="gBlock gSelected">
     <img src="<?= url::file("themes/{$site}/thumbnail.png") ?>"
-         alt="<?= $themes[$site]->name ?>" />
+         alt="<?= html::clean_attribute($themes[$site]->name) ?>" />
     <h3> <?= $themes[$site]->name ?> </h3>
     <p>
       <?= $themes[$site]->description ?>
@@ -30,9 +30,9 @@
     <? if (!$info->site) continue ?>
     <? if ($id == $site) continue ?>
     <div class="gBlock">
-      <a href="<?= url::site("admin/themes/preview/site/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name)) ?>">
+      <a href="<?= url::site("admin/themes/preview/site/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name))->for_html_attr() ?>">
         <img src="<?= url::file("themes/{$id}/thumbnail.png") ?>"
-             alt="<?= $info->name ?>" />
+             alt="<?= html::clean_attribute($info->name) ?>" />
         <h3> <?= $info->name ?> </h3>
         <p>
           <?= $info->description ?>
@@ -54,7 +54,7 @@
   <h2> <?= t("Admin theme") ?> </h2>
   <div class="gBlock gSelected">
     <img src="<?= url::file("themes/{$admin}/thumbnail.png") ?>"
-         alt="<?= $themes[$admin]->name ?>" />
+         alt="<?= html::clean_attribute($themes[$admin]->name) ?>" />
     <h3> <?= $themes[$admin]->name ?> </h3>
     <p>
       <?= $themes[$admin]->description ?>
@@ -68,9 +68,9 @@
     <? if (!$info->admin) continue ?>
     <? if ($id == $admin) continue ?>
     <div class="gBlock">
-      <a href="<?= url::site("admin/themes/preview/admin/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name)) ?>">
+      <a href="<?= url::site("admin/themes/preview/admin/$id") ?>" class="gDialogLink" title="<?= t("Theme Preview: %theme_name", array("theme_name" => $info->name))->for_html_attr() ?>">
         <img src="<?= url::file("themes/{$id}/thumbnail.png") ?>"
-             alt="<?= $info->name ?>" />
+             alt="<?= html::clean_attribute($info->name) ?>" />
         <h3> <?= $info->name ?> </h3>
         <p>
           <?= $info->description ?>
diff --git a/modules/gallery/views/after_install.html.php b/modules/gallery/views/after_install.html.php
index b77a1707..897946a2 100644
--- a/modules/gallery/views/after_install.html.php
+++ b/modules/gallery/views/after_install.html.php
@@ -13,7 +13,7 @@
 
 <p>
   <a href="<?= url::site("form/edit/users/{$user->id}") ?>"
-    title="<?= t("Edit Your Profile") ?>"
+    title="<?= t("Edit Your Profile")->for_html_attr() ?>"
     id="gAfterInstallChangePasswordLink" class="gButtonLink ui-state-default ui-corners-all"><?= t("Change Password Now") ?></a>
   <script>
     $("#gAfterInstallChangePasswordLink").gallery_dialog();
diff --git a/modules/gallery/views/after_install_loader.html.php b/modules/gallery/views/after_install_loader.html.php
index 54484963..c2e3e1d9 100644
--- a/modules/gallery/views/after_install_loader.html.php
+++ b/modules/gallery/views/after_install_loader.html.php
@@ -1,6 +1,6 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <span id="gAfterInstall"
-      title="<?= t("Welcome to Gallery 3") ?>"
+      title="<?= t("Welcome to Gallery 3")->for_html_attr() ?>"
       href="<?= url::site("after_install") ?>"/>
 <script type="text/javascript">
   $(document).ready(function(){$("#gAfterInstall").gallery_dialog({immediate: true});});
diff --git a/modules/gallery/views/l10n_client.html.php b/modules/gallery/views/l10n_client.html.php
index c68a63c8..3a43f7d3 100644
--- a/modules/gallery/views/l10n_client.html.php
+++ b/modules/gallery/views/l10n_client.html.php
@@ -66,7 +66,7 @@
           (<a href="http://www.unicode.org/cldr/data/charts/supplemental/language_plural_rules.html"><?= t("learn more about plural forms") ?></a>)
           <?= form::textarea("l10n-edit-plural-translation-other", "", ' rows="2"') ?>
         </div>
-        <input type="submit" name="l10n-edit-save" value="<?= t("Save translation") ?>"/>
+        <input type="submit" name="l10n-edit-save" value="<?= t("Save translation")->for_html_attr() ?>"/>
         <a href="javascript: Gallery.l10nClient.copySourceText()"
            class="gButtonLink ui-state-default ui-corner-all"><?= t("Copy source text") ?></a>
       </form>
diff --git a/modules/gallery/views/move_browse.html.php b/modules/gallery/views/move_browse.html.php
index 4f69c0e9..99728ecc 100644
--- a/modules/gallery/views/move_browse.html.php
+++ b/modules/gallery/views/move_browse.html.php
@@ -42,6 +42,6 @@
   <form method="post" action="<?= url::site("move/save/$source->id") ?>">
     <?= access::csrf_form_field() ?>
     <input type="hidden" name="target_id" value="" />
-    <input type="submit" id="gMoveButton" value="<?= t("Move") ?>" disabled="disabled"/>
+    <input type="submit" id="gMoveButton" value="<?= t("Move")->for_html_attr() ?>" disabled="disabled"/>
   </form>
 </div>
diff --git a/modules/gallery/views/permissions_form.html.php b/modules/gallery/views/permissions_form.html.php
index e6b217c5..a0bb35f2 100644
--- a/modules/gallery/views/permissions_form.html.php
+++ b/modules/gallery/views/permissions_form.html.php
@@ -20,9 +20,9 @@
 
         <? if ($lock): ?>
           <td class="gDenied">
-            <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" title="<?= t('denied and locked through parent album') ?>" alt="<?= t('denied icon') ?>" />
-            <a href="javascript:show(<?= $lock->id ?>)" title="<?= t('click to go to parent album') ?>">
-              <img src="<?= url::file('themes/default/images/ico-lock.png') ?>" alt="<?= t('locked icon') ?>" />
+            <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" title="<?= t('denied and locked through parent album')->for_html_attr() ?>" alt="<?= t('denied icon')->for_html_attr() ?>" />
+            <a href="javascript:show(<?= $lock->id ?>)" title="<?= t('click to go to parent album')->for_html_attr() ?>">
+              <img src="<?= url::file('themes/default/images/ico-lock.png') ?>" alt="<?= t('locked icon')->for_html_attr() ?>" />
             </a>
           </td>
         <? else: ?>
@@ -30,23 +30,23 @@
             <? if ($allowed): ?>
               <td class="gAllowed">
                 <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('allowed through parent album, click to allow explicitly') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-success-pale.png') ?>" alt="<?= t('passive allowed icon') ?>" />
+                  title="<?= t('allowed through parent album, click to allow explicitly')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-success-pale.png') ?>" alt="<?= t('passive allowed icon')->for_html_attr() ?>" />
                 </a>
                 <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('click to deny') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon') ?>" />
+                  title="<?= t('click to deny')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon')->for_html_attr() ?>" />
                 </a>
               </td>
             <? else: ?>
               <td class="gDenied">
                 <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('click to allow') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon') ?>" />
+                  title="<?= t('click to allow')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon')->for_html_attr() ?>" />
                 </a>
                 <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('denied through parent album, click to deny explicitly') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-denied-pale.png') ?>" alt="<?= t('passive denied icon') ?>" />
+                  title="<?= t('denied through parent album, click to deny explicitly')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-denied-pale.png') ?>" alt="<?= t('passive denied icon')->for_html_attr() ?>" />
                 </a>
               </td>
             <? endif ?>
@@ -54,31 +54,31 @@
           <? elseif ($intent === access::DENY): ?>
             <td class="gDenied">
               <a href="javascript:set('allow',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                title="<?= t('click to allow') ?>">
-                <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon') ?>" />
+                title="<?= t('click to allow')->for_html_attr() ?>">
+                <img src="<?= url::file('themes/default/images/ico-success-gray.png') ?>" alt="<?= t('inactive allowed icon')->for_html_attr() ?>" />
               </a>
               <? if ($item->id == 1): ?>
-                <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon') ?>" title="<?= t('denied') ?>"/>
+                <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon')->for_html_attr() ?>" title="<?= t('denied')->for_html_attr() ?>"/>
               <? else: ?>
                 <a href="javascript:set('reset',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('denied, click to reset') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon') ?>" />
+                  title="<?= t('denied, click to reset')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-denied.png') ?>" alt="<?= t('denied icon')->for_html_attr() ?>" />
                 </a>
               <? endif ?>
             </td>
           <? elseif ($intent === access::ALLOW): ?>
             <td class="gAllowed">
               <? if ($item->id == 1): ?>
-                <img src="<?= url::file('themes/default/images/ico-success.png') ?>" title="<?= t("allowed") ?>" alt="<?= t('allowed icon') ?>" />
+                <img src="<?= url::file('themes/default/images/ico-success.png') ?>" title="<?= t("allowed")->for_html_attr() ?>" alt="<?= t('allowed icon')->for_html_attr() ?>" />
               <? else: ?>
                 <a href="javascript:set('reset',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                  title="<?= t('allowed, click to reset') ?>">
-                  <img src="<?= url::file('themes/default/images/ico-success.png') ?>" alt="<?= t('allowed icon') ?>" />
+                  title="<?= t('allowed, click to reset')->for_html_attr() ?>">
+                  <img src="<?= url::file('themes/default/images/ico-success.png') ?>" alt="<?= t('allowed icon')->for_html_attr() ?>" />
                 </a>
               <? endif ?>
               <a href="javascript:set('deny',<?= $group->id ?>,<?= $permission->id ?>,<?= $item->id ?>)"
-                title="<?= t('click to deny') ?>">
-                <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon') ?>" />
+                title="<?= t('click to deny')->for_html_attr() ?>">
+                <img src="<?= url::file('themes/default/images/ico-denied-gray.png') ?>" alt="<?= t('inactive denied icon')->for_html_attr() ?>" />
               </a>
             </td>
           <? endif ?>
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index 9cf554ec..7f8a96df 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -35,7 +35,7 @@
     <span id="gUploadQueueInfo">
       <?= t("Upload Queue") ?>
     </span>
-    <a id="gUploadCancel" title="<?= t("Cancel all the pending uploads") ?>" onclick="swfu.cancelQueue();"><?= t("cancel") ?></a>
+    <a id="gUploadCancel" title="<?= t("Cancel all the pending uploads")->for_html_attr() ?>" onclick="swfu.cancelQueue();"><?= t("cancel") ?></a>
   </p>
   <div id="gAddPhotosCanvas" style="text-align: center;">
     <div id="gAddPhotosQueue"></div>
diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php
index 731703c7..3612cbc0 100644
--- a/modules/rss/views/feed.mrss.php
+++ b/modules/rss/views/feed.mrss.php
@@ -22,25 +22,25 @@
     <lastBuildDate><?= $pub_date ?></lastBuildDate>
     <? foreach ($feed->children as $child): ?>
     <item>
-      <title><?= html::clean($child->title) ?></title>
+      <title><?= html::purify($child->title) ?></title>
       <link><?= url::abs_site("{$child->type}s/{$child->id}") ?></link>
       <guid isPermaLink="true"><?= url::abs_site("{$child->type}s/{$child->id}") ?></guid>
       <pubDate><?= date("D, d M Y H:i:s T", $child->created); ?></pubDate>
       <content:encoded>
         <![CDATA[
-          <span><?= html::clean($child->description) ?></span>
+          <span><?= html::purify($child->description) ?></span>
           <p>
           <? if ($child->type == "photo" || $child->type == "album"): ?>
             <img alt="" src="<?= $child->resize_url(true) ?>"
-                 title="<?= html::clean($child->title) ?>"
+                 title="<?= html::purify($child->title)->for_html_attr() ?>"
                  height="<?= $child->resize_height ?>" width="<?= $child->resize_width ?>" /><br />
           <? else: ?>
             <a href="<?= url::abs_site("{$child->type}s/{$child->id}") ?>">
             <img alt="" src="<?= $child->thumb_url(true) ?>"
-                 title="<?= html::clean($child->title) ?>"
+                 title="<?= html::purify($child->title)->for_html_attr() ?>"
                  height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" /></a><br />
           <? endif ?>
-            <?= html::clean($child->description) ?>
+            <?= html::purify($child->description) ?>
           </p>
         ]]>
       </content:encoded>
diff --git a/modules/search/views/search_link.html.php b/modules/search/views/search_link.html.php
index 3f1bca91..51bb4e14 100644
--- a/modules/search/views/search_link.html.php
+++ b/modules/search/views/search_link.html.php
@@ -6,7 +6,7 @@
       <input type="text" name="q" id="gSearch"/>
     </li>
     <li>
-      <input type="submit" value="<?= t("Go") ?>" />
+      <input type="submit" value="<?= t("Go")->for_html_attr() ?>" />
     </li>
   </ul>
 </form>
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 9455f9d9..c065e4b1 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -44,7 +44,7 @@
 <div class="gBlock">
   <a href="<?= url::site("admin/users/add_user_form") ?>"
       class="gDialogLink gButtonLink right ui-icon-left ui-state-default ui-corner-all"
-      title="<?= t("Create a new user") ?>">
+      title="<?= t("Create a new user")->for_html_attr() ?>">
     <span class="ui-icon ui-icon-circle-plus"></span>
     <?= t("Add a new user") ?>
   </a>
@@ -67,8 +67,8 @@
       <tr id="gUser-<?= $user->id ?>" class="<?= text::alternate("gOddRow", "gEvenRow") ?> user <?= $user->admin ? "admin" : "" ?>">
         <td id="user-<?= $user->id ?>" class="core-info gDraggable">
           <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>"
-               title="<?= t("Drag user onto group below to add as a new member") ?>"
-               alt="<?= html::clean($user->name) ?>"
+               title="<?= t("Drag user onto group below to add as a new member")->for_html_attr() ?>"
+               alt="<?= html::clean_attribute($user->name) ?>"
                width="20"
                height="20" />
           <?= html::clean($user->name) ?>
@@ -92,7 +92,7 @@
               class="gDialogLink gButtonLink ui-state-default ui-corner-all ui-icon-left">
             <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a>
           <? else: ?>
-          <span title="<?= t("This user cannot be deleted") ?>"
+          <span title="<?= t("This user cannot be deleted")->for_html_attr() ?>"
               class="gButtonLink ui-state-disabled ui-corner-all ui-icon-left">
             <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></span>
           <? endif ?>
@@ -106,7 +106,7 @@
 <div id="gGroupAdmin" class="gBlock">
   <a href="<?= url::site("admin/users/add_group_form") ?>"
       class="gDialogLink gButtonLink right ui-icon-left ui-state-default ui-corner-all"
-      title="<?= t("Create a new group") ?>">
+      title="<?= t("Create a new group")->for_html_attr() ?>">
     <span class="ui-icon ui-icon-circle-plus"></span>
     <?= t("Add a new group") ?>
   </a>
diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php
index 8418ebc9..476e0817 100644
--- a/modules/user/views/admin_users_group.html.php
+++ b/modules/user/views/admin_users_group.html.php
@@ -3,11 +3,11 @@
   <?= html::clean($group->name) ?>
   <? if (!$group->special): ?>
   <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
-    title="<?= t("Delete the %name group", array("name" => $group->name)) ?>"
+    title="<?= t("Delete the %name group", array("name" => $group->name))->for_html_attr() ?>"
     class="gDialogLink gButtonLink ui-state-default ui-corner-all">
     <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
   <? else: ?>
-  <a title="<?= t("This default group cannot be deleted") ?>"
+  <a title="<?= t("This default group cannot be deleted")->for_html_attr() ?>"
      class="gDialogLink gButtonLink ui-state-disabled ui-corner-all ui-icon-left">
     <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
   <? endif ?>
@@ -22,7 +22,7 @@
     <a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)"
        class="gButtonLink ui-state-default ui-corner-all ui-icon-left"
        title="<?= t("Remove %user from %group group",
-              array("user" => $user->name, "group" => $group->name)) ?>">
+              array("user" => $user->name, "group" => $group->name))->for_html_attr() ?>">
       <span class="ui-icon ui-icon-closethick"><?= t("remove") ?></span>
     </a>
     <? endif ?>
diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php
index 27431ce8..bb670d51 100644
--- a/modules/user/views/login.html.php
+++ b/modules/user/views/login.html.php
@@ -3,7 +3,7 @@
   <? if ($user->guest): ?>
   <li class="first">
     <a href="<?= url::site("login/ajax") ?>"
-       title="<?= t("Login to Gallery") ?>"
+       title="<?= t("Login to Gallery")->for_html_attr() ?>"
        id="gLoginLink"><?= t("Login") ?></a>
   </li>
   <? else: ?>
diff --git a/modules/watermark/views/admin_watermarks.html.php b/modules/watermark/views/admin_watermarks.html.php
index e83a7efa..ac69d21d 100644
--- a/modules/watermark/views/admin_watermarks.html.php
+++ b/modules/watermark/views/admin_watermarks.html.php
@@ -7,7 +7,7 @@
 
   <? if (empty($name)): ?>
   <a href="<?= url::site("admin/watermarks/form_add") ?>"
-     title="<?= t("Upload a watermark") ?>"
+     title="<?= t("Upload a watermark")->for_html_attr() ?>"
      class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-document-b"></span><?= t("Upload a watermark") ?></a>
   <? else: ?>
   <h2> <?= t("Active Watermark") ?> </h2>
@@ -26,10 +26,10 @@
     </div>
     <div class="controls">
       <a href="<?= url::site("admin/watermarks/form_edit") ?>"
-         title="<?= t("Edit Watermark") ?>"
+         title="<?= t("Edit Watermark")->for_html_attr() ?>"
          class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-pencil"></span><?= t("edit") ?></a>
       <a href="<?= url::site("admin/watermarks/form_delete") ?>"
-         title="<?= t("Delete Watermark") ?>"
+         title="<?= t("Delete Watermark")->for_html_attr() ?>"
          class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all"><span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a>
     </div>
   </div>
diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php
index 3b1ff92c..c54fdcb5 100644
--- a/themes/admin_default/views/admin.html.php
+++ b/themes/admin_default/views/admin.html.php
@@ -48,7 +48,7 @@
           <li class="first"><?= html::anchor("albums/1", "&larr; ".t("Back to the Gallery")) ?></li>
           <li id="gLogoutLink"><a href="<?= url::site("logout?continue=albums/1&amp;csrf=$csrf") ?>"><?= t("Logout") ?></a></li>
         </ul>
-        <a id="gLogo" href="<?= url::site("albums/1") ?>" title="<?= t("go back to the Gallery") ?>">
+        <a id="gLogo" href="<?= url::site("albums/1") ?>" title="<?= t("go back to the Gallery")->for_html_attr() ?>">
           &larr; <?= t("back to the ...") ?>
         </a>
         <div id="gSiteAdminMenu" style="display: none;">
diff --git a/themes/default/views/page.html.php b/themes/default/views/page.html.php
index 7d181ea0..1650debe 100644
--- a/themes/default/views/page.html.php
+++ b/themes/default/views/page.html.php
@@ -81,8 +81,8 @@
           <? if ($header_text = module::get_var("gallery", "header_text")): ?>
           <?= $header_text ?>
           <? else: ?>
-          <a id="gLogo" href="<?= url::site("albums/1") ?>" title="<?= t("go back to the Gallery home") ?>">
-            <img width="107" height="48" alt="<?= t("Gallery logo: Your photos on your web site") ?>" src="<?= $theme->url("images/logo.png") ?>" />
+          <a id="gLogo" href="<?= url::site("albums/1") ?>" title="<?= t("go back to the Gallery home")->for_html_attr() ?>">
+            <img width="107" height="48" alt="<?= t("Gallery logo: Your photos on your web site")->for_html_attr() ?>" src="<?= $theme->url("images/logo.png") ?>" />
           </a>
           <? endif ?>
           <div id="gSiteMenu">
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 5289b467..b0096043 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -40,7 +40,7 @@
   <div id="gPhoto">
     <?= $theme->resize_top($item) ?>
     <? if (access::can("view_full", $item)): ?>
-    <a href="<?= $item->file_url() ?>" class="gFullSizeLink" title="<?= t("View full size") ?>">
+    <a href="<?= $item->file_url() ?>" class="gFullSizeLink" title="<?= t("View full size")->for_html_attr() ?>">
       <? endif ?>
       <?= $item->resize_img(array("id" => "gPhotoId-{$item->id}", "class" => "gResize")) ?>
       <? if (access::can("view_full", $item)): ?>
-- 
cgit v1.2.3


From 03c5c117759aca8a3d898c6c4f03da6ddf67e81d Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Tue, 1 Sep 2009 20:13:23 -0700
Subject: Allow the RSS feed page size to be customizeable, up to 100 items (to
 mitigate DoS attacks).

Have PicLens request a 100-item page to mitigate the bug where it
refuses to load the 2nd page.

Mitigates #23.
---
 modules/rss/controllers/rss.php               |  5 ++-
 modules/slideshow/helpers/slideshow_event.php | 52 +++++++++++++++------------
 2 files changed, 34 insertions(+), 23 deletions(-)

(limited to 'modules/rss')

diff --git a/modules/rss/controllers/rss.php b/modules/rss/controllers/rss.php
index e9dd9fff..b89bed40 100644
--- a/modules/rss/controllers/rss.php
+++ b/modules/rss/controllers/rss.php
@@ -26,13 +26,16 @@ class Rss_Controller extends Controller {
       url::redirect(url::merge(array("page" => 1)));
     }
 
+    // Configurable page size between 1 and 100, default 20
+    $page_size = max(1, min(100, $this->input->get("page_size", self::$page_size)));
+
     // Run the appropriate feed callback
     if (module::is_active($module_id)) {
       $class_name = "{$module_id}_rss";
       if (method_exists($class_name, "feed")) {
         $feed = call_user_func(
           array($class_name, "feed"), $feed_id,
-          ($page - 1) * self::$page_size, self::$page_size, $id);
+          ($page - 1) * $page_size, $page_size, $id);
       }
     }
     if (empty($feed)) {
diff --git a/modules/slideshow/helpers/slideshow_event.php b/modules/slideshow/helpers/slideshow_event.php
index 77e296e8..ce26b189 100644
--- a/modules/slideshow/helpers/slideshow_event.php
+++ b/modules/slideshow/helpers/slideshow_event.php
@@ -31,36 +31,44 @@ class slideshow_event_Core {
   }
 
   static function album_menu($menu, $theme) {
-    $descendants_count = ORM::factory("item", $theme->item->id)
+    $descendants_count = ORM::factory("item", $theme->item()->id)
       ->descendants_count(array("type" => "photo"));
     if ($descendants_count > 1) {
-      $menu
-        ->append(Menu::factory("link")
-                 ->id("slideshow")
-                 ->label(t("View slideshow"))
-                 ->url("javascript:PicLensLite.start(" .
-                       "{maxScale:0,feedUrl:PicLensLite.indexFeeds()[0].url})")
-                 ->css_id("gSlideshowLink"));
+      $menu->append(Menu::factory("link")
+                    ->id("slideshow")
+                    ->label(t("View slideshow"))
+                    ->url("javascript:PicLensLite.start(" .
+                          "{maxScale:0,feedUrl:'" . self::_feed_url($theme) . "'})")
+                    ->css_id("gSlideshowLink"));
     }
   }
 
   static function photo_menu($menu, $theme) {
-    $menu
-      ->append(Menu::factory("link")
-               ->id("slideshow")
-               ->label(t("View slideshow"))
-               ->url("javascript:PicLensLite.start(" .
-                     "{maxScale:0,feedUrl:PicLensLite.indexFeeds()[0].url})")
-               ->css_id("gSlideshowLink"));
+    $menu->append(Menu::factory("link")
+                  ->id("slideshow")
+                  ->label(t("View slideshow"))
+                  ->url("javascript:PicLensLite.start(" .
+                        "{maxScale:0,feedUrl:'" . self::_feed_url($theme) . "'})")
+                  ->css_id("gSlideshowLink"));
   }
 
   static function tag_menu($menu, $theme) {
-    $menu
-      ->append(Menu::factory("link")
-               ->id("slideshow")
-               ->label(t("View slideshow"))
-               ->url("javascript:PicLensLite.start(" .
-                     "{maxScale:0,feedUrl:PicLensLite.indexFeeds()[0].url})")
-               ->css_id("gSlideshowLink"));
+    $menu->append(Menu::factory("link")
+                  ->id("slideshow")
+                  ->label(t("View slideshow"))
+                  ->url("javascript:PicLensLite.start(" .
+                        "{maxScale:0,feedUrl:'" . self::_feed_url($theme) . "'})")
+                  ->css_id("gSlideshowLink"));
+  }
+
+  private static function _feed_url($theme) {
+    if ($item = $theme->item()) {
+      if (!$item->is_album()) {
+        $item = $item->parent();
+      }
+      return rss::url("gallery/album/{$item->id}?page_size=100");
+    } else {
+      return rss::url("tag/tag/{$theme->tag()->id}?page_size=100");
+    }
   }
 }
-- 
cgit v1.2.3


From 9fbdcf3efd37e2c6bf67b197b8c93f8790a79cbe Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 5 Sep 2009 13:39:30 -0700
Subject: Change the module installer so that you don't need to provide your
 own install() function if all you're going to do is to set the version of the
 module from module.info into the database.  This means that for some simple
 modules, you don't need an install.php file at all.

---
 modules/akismet/helpers/akismet_installer.php      |  4 ----
 modules/gallery/helpers/module.php                 |  9 ++++++++
 .../image_block/helpers/image_block_installer.php  | 24 ----------------------
 modules/info/helpers/info_installer.php            | 24 ----------------------
 modules/organize/helpers/organize_installer.php    | 24 ----------------------
 modules/recaptcha/helpers/recaptcha_installer.php  |  4 ----
 modules/rss/helpers/rss_installer.php              | 24 ----------------------
 modules/slideshow/helpers/slideshow_installer.php  |  4 ----
 8 files changed, 9 insertions(+), 108 deletions(-)
 delete mode 100644 modules/image_block/helpers/image_block_installer.php
 delete mode 100644 modules/info/helpers/info_installer.php
 delete mode 100644 modules/organize/helpers/organize_installer.php
 delete mode 100644 modules/rss/helpers/rss_installer.php

(limited to 'modules/rss')

diff --git a/modules/akismet/helpers/akismet_installer.php b/modules/akismet/helpers/akismet_installer.php
index 5d8c0e07..b891fc7b 100644
--- a/modules/akismet/helpers/akismet_installer.php
+++ b/modules/akismet/helpers/akismet_installer.php
@@ -18,10 +18,6 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class akismet_installer {
-  static function install() {
-    module::set_version("akismet", 1);
-  }
-
   static function activate() {
     akismet::check_config();
   }
diff --git a/modules/gallery/helpers/module.php b/modules/gallery/helpers/module.php
index 03d538a9..a3088c38 100644
--- a/modules/gallery/helpers/module.php
+++ b/modules/gallery/helpers/module.php
@@ -119,6 +119,8 @@ class module_Core {
     $installer_class = "{$module_name}_installer";
     if (method_exists($installer_class, "install")) {
       call_user_func_array(array($installer_class, "install"), array());
+    } else {
+      module::set_version($module_name, 1);
     }
     module::load_modules();
 
@@ -145,6 +147,13 @@ class module_Core {
     $installer_class = "{$module_name}_installer";
     if (method_exists($installer_class, "upgrade")) {
       call_user_func_array(array($installer_class, "upgrade"), array($version_before));
+    } else {
+      $available = module::available();
+      if (isset($available->$module_name->code_version)) {
+        module::set_version($module_name, $available->$module_name->code_version);
+      } else {
+        throw new Exception("@todo UNKNOWN_MODULE");
+      }
     }
     module::load_modules();
 
diff --git a/modules/image_block/helpers/image_block_installer.php b/modules/image_block/helpers/image_block_installer.php
deleted file mode 100644
index 7ea6a229..00000000
--- a/modules/image_block/helpers/image_block_installer.php
+++ /dev/null
@@ -1,24 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class image_block_installer {
-  static function install() {
-    module::set_version("image_block", 1);
-  }
-}
diff --git a/modules/info/helpers/info_installer.php b/modules/info/helpers/info_installer.php
deleted file mode 100644
index e3e78b90..00000000
--- a/modules/info/helpers/info_installer.php
+++ /dev/null
@@ -1,24 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class info_installer {
-  static function install() {
-    module::set_version("info", 1);
-  }
-}
diff --git a/modules/organize/helpers/organize_installer.php b/modules/organize/helpers/organize_installer.php
deleted file mode 100644
index 22ca1793..00000000
--- a/modules/organize/helpers/organize_installer.php
+++ /dev/null
@@ -1,24 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class organize_installer {
-  static function install() {
-    module::set_version("organize", 1);
-  }
-}
diff --git a/modules/recaptcha/helpers/recaptcha_installer.php b/modules/recaptcha/helpers/recaptcha_installer.php
index 12044a1b..e04822ea 100644
--- a/modules/recaptcha/helpers/recaptcha_installer.php
+++ b/modules/recaptcha/helpers/recaptcha_installer.php
@@ -18,10 +18,6 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class recaptcha_installer {
-  static function install() {
-    module::set_version("recaptcha", 1);
-  }
-
   static function activate() {
     recaptcha::check_config();
   }
diff --git a/modules/rss/helpers/rss_installer.php b/modules/rss/helpers/rss_installer.php
deleted file mode 100644
index 7766fdfa..00000000
--- a/modules/rss/helpers/rss_installer.php
+++ /dev/null
@@ -1,24 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class rss_installer {
-  static function install() {
-    module::set_version("rss", 1);
-  }
-}
diff --git a/modules/slideshow/helpers/slideshow_installer.php b/modules/slideshow/helpers/slideshow_installer.php
index cd1c6e05..56874a6a 100644
--- a/modules/slideshow/helpers/slideshow_installer.php
+++ b/modules/slideshow/helpers/slideshow_installer.php
@@ -18,10 +18,6 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class slideshow_installer {
-  static function install() {
-    module::set_version("slideshow", 1);
-  }
-
   static function deactivate() {
     site_status::clear("slideshow_needs_rss");
   }
-- 
cgit v1.2.3