From 51dca582cd2cda9416ec0172f8ed9a19ba828fec Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sun, 19 Jul 2009 16:50:35 -0700 Subject: More thorough fix for #421. Create User_Model::display_name() which uses the full name if there is one, or falls back to the name if that's all we have. --- modules/user/views/login.html.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/user/views/login.html.php') diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php index 7617d131..4c1a5b3c 100644 --- a/modules/user/views/login.html.php +++ b/modules/user/views/login.html.php @@ -12,7 +12,7 @@ 'id}") . '" title="' . t("Edit Your Profile") . '" id="gUserProfileLink" class="gDialogLink">' . - p::clean(empty($user->full_name) ? $user->name : $user->full_name) . '')) ?> + p::clean($user->display_name()) . '')) ?>
  • " -- cgit v1.2.3 From 050c82cf80b06a555252efaf701434b0cfd59bed Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 21 Jul 2009 11:09:23 -0700 Subject: Escape bare & symbols so that we use valid entities. Fixes ticket #577. --- modules/organize/views/organize.html.php | 2 +- modules/server_add/views/admin_server_add.html.php | 2 +- modules/server_add/views/server_add_tree_dialog.html.php | 2 +- modules/user/views/login.html.php | 2 +- themes/admin_default/views/admin.html.php | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) (limited to 'modules/user/views/login.html.php') diff --git a/modules/organize/views/organize.html.php b/modules/organize/views/organize.html.php index 65d67d04..1686d255 100644 --- a/modules/organize/views/organize.html.php +++ b/modules/organize/views/organize.html.php @@ -33,7 +33,7 @@ var CONFIRM_DELETE = "
    "> + ref="">
      diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php index 588a9fca..30ab3536 100644 --- a/modules/server_add/views/admin_server_add.html.php +++ b/modules/server_add/views/admin_server_add.html.php @@ -11,7 +11,7 @@
        $path): ?>
      • - " + " id="icon_" class="gRemoveDir ui-icon ui-icon-trash"> X diff --git a/modules/server_add/views/server_add_tree_dialog.html.php b/modules/server_add/views/server_add_tree_dialog.html.php index 21952849..a4eda3b9 100644 --- a/modules/server_add/views/server_add_tree_dialog.html.php +++ b/modules/server_add/views/server_add_tree_dialog.html.php @@ -1,7 +1,7 @@
      • - " + " id="gLogoutLink">
        • diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php index 575f8a96..b0ddb6c5 100644 --- a/themes/admin_default/views/admin.html.php +++ b/themes/admin_default/views/admin.html.php @@ -45,7 +45,7 @@ admin_header_top() ?> ')) ?>
      • - " + " id="gLogoutLink">
        • -- cgit v1.2.3 From 020281d932c566476222e6c825ada3affff239a6 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 29 Aug 2009 10:45:47 -0700 Subject: Adding SafeString which is going to replace p::clean() and p::purify(). Refactoring of Xss_Security_Test. t() and t2() return a SafeString instance. TODO: - Update all code to use SafeString where appropriate. - Update golden fole of Xss_Security_Test - Stop reporting CLEAN vars in Xss_Security_Test --- modules/gallery/helpers/p.php | 16 +- modules/gallery/libraries/I18n.php | 20 +- modules/gallery/libraries/MY_ORM.php | 4 + modules/gallery/libraries/SafeString.php | 142 ++++++++++++ modules/gallery/tests/SafeString_Test.php | 111 ++++++++++ modules/gallery/tests/Xss_Security_Test.php | 325 ++++++++++++++++++++++------ modules/user/views/login.html.php | 6 +- 7 files changed, 535 insertions(+), 89 deletions(-) create mode 100644 modules/gallery/libraries/SafeString.php create mode 100644 modules/gallery/tests/SafeString_Test.php (limited to 'modules/user/views/login.html.php') diff --git a/modules/gallery/helpers/p.php b/modules/gallery/helpers/p.php index 862c769b..e852c086 100644 --- a/modules/gallery/helpers/p.php +++ b/modules/gallery/helpers/p.php @@ -18,22 +18,12 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class p_Core { - private static $_purifier = null; static function clean($dirty_html) { - return html::specialchars($dirty_html); + return new SafeString($dirty_html); } + // Deprecated: Please use p::clean($var).purified_html() static function purify($dirty_html) { - if (empty(self::$_purifier)) { - require_once(dirname(__file__) . "/../lib/HTMLPurifier/HTMLPurifier.auto.php"); - $config = HTMLPurifier_Config::createDefault(); - foreach (Kohana::config('purifier') as $category => $key_value) { - foreach ($key_value as $key => $value) { - $config->set("$category.$key", $value); - } - } - self::$_purifier = new HTMLPurifier($config); - } - return self::$_purifier->purify($dirty_html); + return SafeString::of($dirty_html)->purified_html(); } } diff --git a/modules/gallery/libraries/I18n.php b/modules/gallery/libraries/I18n.php index 03a6d8f6..8dc42e04 100644 --- a/modules/gallery/libraries/I18n.php +++ b/modules/gallery/libraries/I18n.php @@ -84,6 +84,12 @@ class I18n_Core { /** * Translates a localizable message. + * + * Security: + * The returned string is safe for use in HTML (it contains a safe subset of HTML and + * interpolation parameters are converted to HTML entities). + * For use in JavaScript, please call ->for_js() on it. + * * @param $message String|array The message to be translated. E.g. "Hello world" * or array("one" => "One album", "other" => "%count albums") * @param $options array (optional) Options array for key value pairs which are used @@ -110,7 +116,7 @@ class I18n_Core { $entry = $this->interpolate($locale, $entry, $values); - return $entry; + return SafeString::of($entry)->mark_html_safe(); } private function lookup($locale, $message) { @@ -179,17 +185,19 @@ class I18n_Core { return is_array($message); } - private function interpolate($locale, $string, $values) { + private function interpolate($locale, $string, $key_values) { // TODO: Handle locale specific number formatting. // Replace x_y before replacing x. - krsort($values, SORT_STRING); + krsort($key_values, SORT_STRING); $keys = array(); - foreach (array_keys($values) as $key) { + $values = array(); + foreach ($key_values as $key => $value) { $keys[] = "%$key"; + $values[] = new SafeString($value); } - return str_replace($keys, array_values($values), $string); + return str_replace($keys, $values, $string); } private function pluralize($locale, $entry, $count) { @@ -414,4 +422,4 @@ class I18n_Core { return $count == 1 ? 'one' : 'other'; } } -} \ No newline at end of file +} diff --git a/modules/gallery/libraries/MY_ORM.php b/modules/gallery/libraries/MY_ORM.php index de8adc1d..2c9ad1d7 100644 --- a/modules/gallery/libraries/MY_ORM.php +++ b/modules/gallery/libraries/MY_ORM.php @@ -43,6 +43,10 @@ class ORM extends ORM_Core { $this->original = clone $this; } + if ($value instanceof SafeString) { + $value = $value->unescaped(); + } + return parent::__set($column, $value); } diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php new file mode 100644 index 00000000..53bcb27a --- /dev/null +++ b/modules/gallery/libraries/SafeString.php @@ -0,0 +1,142 @@ +_is_safe_html = $string->_is_safe_html; + $string = $string->unescaped(); + } + $this->_raw_string = (string) $string; + } + + /** + * Factory method returning a new SafeString instance for the given string. + */ + static function of($string) { + return new SafeString($string); + } + + /** + * Marks this string as safe to be used in HTML without any escaping. + */ + function mark_html_safe() { + $this->_is_safe_html = true; + return $this; + } + + /** + * Safe for use in HTML. + * @see #for_html() + */ + function __toString() { + if ($this->_is_safe_html) { + return $this->_raw_string; + } else { + return self::_escape_for_html($this->_raw_string); + } + } + + /** + * Safe for use in HTML. + * + * Example:
        +   *   
         
+   *
        + * @return the string escaped for use in HTML. + */ + function for_html() { + return $this; + } + + /** + * Safe for use in JavaScript. + * + * Example:
        +   *    block?
+	if (is_array($token) && $token[0] == T_INLINE_HTML) {
+	  $inline_html = $token[1];
+	  // T_INLINE_HTML blocks can be split. Need to handle the case
+	  // where one token has "expr_append($inline_html);
+	  }
+
+	  // Note: This approach won't catch }i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
+	    $last_match = array_pop($matches[0]);
+	    if (is_array($last_match)) {
+	      $closing_script_pos = $last_match[1];
+	    } else {
+	      $closing_script_pos = $last_match;
+	    }
+	  }
+	  if (preg_match('{]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
+	    $last_match = array_pop($matches[0]);
+	    if (is_array($last_match)) {
+	      $opening_script_pos = $last_match[1];
+	    } else {
+	      $opening_script_pos = $last_match;
+	    }
+	  }
+	  if ($opening_script_pos != $closing_script_pos) {
+	    $in_script_block = $opening_script_pos > $closing_script_pos;
+	  }
+	}
+
+	// Look and report each instance of < ? = ... ? >
+	if (!is_array($token)) {
+	  // A single char token, e.g: ; ( )
+	  if ($frame) {
+	    $frame->expr_append($token);
+	  }
+	} else if ($token[0] == T_OPEN_TAG_WITH_ECHO) {
+	  // No need for a stack here - assume < ? = cannot be nested.
+	  $frame = self::_create_frame($token, $in_script_block);
+        } else if ($frame && $token[0] == T_CLOSE_TAG) {
+	  // Store the < ? = ... ? > block that just ended here.
+	  $found[$view][] = $frame;
+	  $frame = null;
+        } else if ($frame && $token[0] == T_VARIABLE) {
+	  $frame->expr_append($token[1]);
+	} else if ($frame && $token[0] == T_STRING) {
+	  $frame->expr_append($token[1]);
+	  // t() and t2() are special in that they're guaranteed to return a SafeString().
+	  if (in_array($token[1], array("t", "t2"))) {
+	    if (self::_token_matches("(", $tokens, $token_number + 1)) {
+	      $frame->is_safestring(true);
+	      $frame->expr_append("(");
+
+	      $token_number++;
+	      $token = $tokens[$token_number];
+	    }
+	  } else if ($token[1] == "SafeString") {
+	    // Looking for SafeString::of(...
+	    if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+		self::_token_matches(array(T_STRING, "of"), $tokens, $token_number + 2)	&&
+		self::_token_matches("(", $tokens, $token_number + 3)) {
+	      $frame->is_safestring(true);
+	      $frame->expr_append("::of(");
+
+	      $token_number += 3;
+	      $token = $tokens[$token_number];
+	    }
+	  } else if ($token[1] == "json_encode") {
+	    if (self::_token_matches("(", $tokens, $token_number + 1)) {
+	      $frame->json_encode_called(true);
+	      $frame->expr_append("(");
+
+	      $token_number++;
+	      $token = $tokens[$token_number];
+	    }
+	  }
+	} else if ($frame && $token[0] == T_OBJECT_OPERATOR) {
+	  $frame->expr_append($token[1]);
+
+	  if (self::_token_matches(array(T_STRING), $tokens, $token_number + 1) &&
+	      in_array($tokens[$token_number + 1][1],
+		       array("for_js", "for_html", "purified_html")) &&
+	      self::_token_matches("(", $tokens, $token_number + 2)) {
+
+	    $method = $tokens[$token_number + 1][1];
+	    $frame->expr_append("$method(");
+
+	    $token_number += 2;
+	    $token = $tokens[$token_number];
+
+	    if ("for_js" == $method) {
+	      $frame->for_js_called(true);
+	    } else if ("for_html" == $method) {
+	      $frame->for_html_called(true);
+	    } else if ("purified_html" == $method) {
+	      $frame->purified_html_called(true);
+	    }
+	  }
+        } else if ($frame) {
+	  $frame->expr_append($token[1]);
+	}
       }
     }
 
-    $canonical = MODPATH . "gallery/tests/xss_data.txt";
+    // Generate the report.
+    /*
+     * States for uses of < ? = X ? >:
+     * JS_XSS:
+     *   In 
 
        
-   p::purify($item->title))) ?>
+   SafeString::purify($item->title))) ?>
 
        
 
        
   
        
diff --git a/modules/organize/views/organize_album.html.php b/modules/organize/views/organize_album.html.php
index ae2d5d51..4933ed32 100644
--- a/modules/organize/views/organize_album.html.php
+++ b/modules/organize/views/organize_album.html.php
@@ -7,7 +7,7 @@
 
     
         gBranchText">
-      title) ?>
+      title) ?>
     
        
     
        ">
diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php
index 447179a5..7298b7f4 100644
--- a/modules/rss/views/feed.mrss.php
+++ b/modules/rss/views/feed.mrss.php
@@ -6,9 +6,9 @@
    xmlns:fh="http://purl.org/syndication/history/1.0">
   
     gallery3
-    <?= p::clean($feed->title) ?>
+    <?= SafeString::of($feed->title) ?>
     uri ?>
-    description) ?>
+    description) ?>
     en-us
     
     
@@ -22,25 +22,25 @@
     
     children as $child): ?>
     
-      <?= p::clean($child->title) ?>
+      <?= SafeString::of($child->title) ?>
       type}s/{$child->id}") ?>
       type}s/{$child->id}") ?>
       created); ?>
       
         description) ?>
+          description) ?>
           
        
           type == "photo" || $child->type == "album"): ?>
             
        
           
             type}s/{$child->id}") ?>">
             
        
           
-            description) ?>
+            description) ?>
           
        
         ]]>
               
diff --git a/modules/search/views/search.html.php b/modules/search/views/search.html.php
index 6a222ef1..e5c7b4a6 100644
--- a/modules/search/views/search.html.php
+++ b/modules/search/views/search.html.php
@@ -8,10 +8,10 @@
     
          
       
        • 
         
-        
+        
       
          • 
       
        • 
-        " />
+        for_html_attr() ?>" />
       
          • 
     
        
   
@@ -31,10 +31,10 @@
       id") ?>">
         thumb_img() ?>
         
        
-          title) ?>
+    title) ?>
         
        
         
        
-    description)) ?>
+    description)) ?>
         
        
               
     
@@ -44,7 +44,7 @@
 
   
   
        
-    %term", array("term" => p::clean($q))) ?>
+    %term", array("term" => $q)) ?>
   
        
 
   
diff --git a/modules/server_add/controllers/admin_server_add.php b/modules/server_add/controllers/admin_server_add.php
index 30109f42..fac2aa44 100644
--- a/modules/server_add/controllers/admin_server_add.php
+++ b/modules/server_add/controllers/admin_server_add.php
@@ -38,7 +38,7 @@ class Admin_Server_Add_Controller extends Admin_Controller {
         $path = $form->add_path->path->value;
         $paths[$path] = 1;
         module::set_var("server_add", "authorized_paths", serialize($paths));
-        message::success(t("Added path %path", array("path" => p::clean($path))));
+        message::success(t("Added path %path", array("path" => $path)));
         server_add::check_config($paths);
         url::redirect("admin/server_add");
       } else {
@@ -60,7 +60,7 @@ class Admin_Server_Add_Controller extends Admin_Controller {
     $paths = unserialize(module::get_var("server_add", "authorized_paths"));
     if (isset($paths[$path])) {
       unset($paths[$path]);
-      message::success(t("Removed path %path", array("path" => p::clean($path))));
+      message::success(t("Removed path %path", array("path" => $path)));
       module::set_var("server_add", "authorized_paths", serialize($paths));
       server_add::check_config($paths);
     }
diff --git a/modules/server_add/views/server_add_tree.html.php b/modules/server_add/views/server_add_tree.html.php
index 254a9da0..b68544ec 100644
--- a/modules/server_add/views/server_add_tree.html.php
+++ b/modules/server_add/views/server_add_tree.html.php
@@ -24,7 +24,7 @@
                 
                 file=""
                 >
-            
+            
           
         
         
diff --git a/modules/server_add/views/server_add_tree_dialog.html.php b/modules/server_add/views/server_add_tree_dialog.html.php
index 21952849..533cad04 100644
--- a/modules/server_add/views/server_add_tree_dialog.html.php
+++ b/modules/server_add/views/server_add_tree_dialog.html.php
@@ -5,17 +5,17 @@
 
 
 
        
-  
         p::purify($item->title))) ?>
        
+  
         SafeString::purify($item->title))) ?>
        
 
   
        
   
          
     parents() as $parent): ?>
     
        • 
-      title) ?>
+      title) ?>
     
          • 
     
     
        • 
-      title) ?>
+      title) ?>
     
          • 
   
        
 
diff --git a/modules/tag/controllers/admin_tags.php b/modules/tag/controllers/admin_tags.php
index dcdc16b9..f1b4ca3a 100644
--- a/modules/tag/controllers/admin_tags.php
+++ b/modules/tag/controllers/admin_tags.php
@@ -53,8 +53,8 @@ class Admin_Tags_Controller extends Admin_Controller {
       $name = $tag->name;
       Database::instance()->delete("items_tags", array("tag_id" => "$tag->id"));
       $tag->delete();
-      message::success(t("Deleted tag %tag_name", array("tag_name" => p::clean($name))));
-      log::success("tags", t("Deleted tag %tag_name", array("tag_name" => p::clean($name))));
+      message::success(t("Deleted tag %tag_name", array("tag_name" => $name)));
+      log::success("tags", t("Deleted tag %tag_name", array("tag_name" => $name)));
 
       print json_encode(
         array("result" => "success",
@@ -98,7 +98,7 @@ class Admin_Tags_Controller extends Admin_Controller {
       $tag->save();
 
       $message = t("Renamed tag %old_name to %new_name",
-                   array("old_name" => p::clean($old_name), "new_name" => p::clean($tag->name)));
+                   array("old_name" => $old_name, "new_name" => $tag->name));
       message::success($message);
       log::success("tags", $message);
 
@@ -106,7 +106,7 @@ class Admin_Tags_Controller extends Admin_Controller {
         array("result" => "success",
               "location" => url::site("admin/tags"),
               "tag_id" => $tag->id,
-              "new_tagname" => p::clean($tag->name)));
+              "new_tagname" => SafeString::of($tag->name)));
     } else {
       print json_encode(
         array("result" => "error",
diff --git a/modules/tag/helpers/tag_rss.php b/modules/tag/helpers/tag_rss.php
index f94508cf..7194586d 100644
--- a/modules/tag/helpers/tag_rss.php
+++ b/modules/tag/helpers/tag_rss.php
@@ -22,7 +22,7 @@ class tag_rss_Core {
   static function available_feeds($item, $tag) {
     if ($tag) {
       $feeds["tag/tag/{$tag->id}"] =
-        t("Tag feed for %tag_name", array("tag_name" => p::clean($tag->name)));
+        t("Tag feed for %tag_name", array("tag_name" => $tag->name));
       return $feeds;
     }
     return array();
diff --git a/modules/tag/views/admin_tags.html.php b/modules/tag/views/admin_tags.html.php
index 7d201da7..5bd23112 100644
--- a/modules/tag/views/admin_tags.html.php
+++ b/modules/tag/views/admin_tags.html.php
@@ -47,7 +47,7 @@
           
 
           
      • 
-            name) ?>
+            name) ?>
             (count ?>)
             id") ?>"
                class="gDialogLink delete-link gButtonLink">
diff --git a/modules/tag/views/tag_cloud.html.php b/modules/tag/views/tag_cloud.html.php
index eba615fc..b4c6ae34 100644
--- a/modules/tag/views/tag_cloud.html.php
+++ b/modules/tag/views/tag_cloud.html.php
@@ -3,7 +3,7 @@
   
   
      • 
     count ?> photos are tagged with 
-    id") ?>">name) ?>
+    id") ?>">name) ?>
   
        •
      diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php index f87602b8..521f82fa 100644 --- a/modules/user/controllers/admin_users.php +++ b/modules/user/controllers/admin_users.php @@ -51,7 +51,7 @@ class Admin_Users_Controller extends Controller { $user->save(); module::event("user_add_form_admin_completed", $user, $form); - message::success(t("Created user %user_name", array("user_name" => p::clean($user->name)))); + message::success(t("Created user %user_name", array("user_name" => $user->name))); print json_encode(array("result" => "success")); } else { print json_encode(array("result" => "error", @@ -84,7 +84,7 @@ class Admin_Users_Controller extends Controller { "form" => $form->__toString())); } - $message = t("Deleted user %user_name", array("user_name" => p::clean($name))); + $message = t("Deleted user %user_name", array("user_name" => $name)); log::success("user", $message); message::success($message); print json_encode(array("result" => "success")); @@ -142,7 +142,7 @@ class Admin_Users_Controller extends Controller { $user->save(); module::event("user_edit_form_admin_completed", $user, $form); - message::success(t("Changed user %user_name", array("user_name" => p::clean($user->name)))); + message::success(t("Changed user %user_name", array("user_name" => $user->name))); print json_encode(array("result" => "success")); } else { print json_encode(array("result" => "error", @@ -204,7 +204,7 @@ class Admin_Users_Controller extends Controller { $group = group::create($new_name); $group->save(); message::success( - t("Created group %group_name", array("group_name" => p::clean($group->name)))); + t("Created group %group_name", array("group_name" => $group->name))); print json_encode(array("result" => "success")); } else { print json_encode(array("result" => "error", @@ -233,7 +233,7 @@ class Admin_Users_Controller extends Controller { "form" => $form->__toString())); } - $message = t("Deleted group %group_name", array("group_name" => p::clean($name))); + $message = t("Deleted group %group_name", array("group_name" => $name)); log::success("group", $message); message::success($message); print json_encode(array("result" => "success")); @@ -271,11 +271,11 @@ class Admin_Users_Controller extends Controller { $group->name = $form->edit_group->inputs["name"]->value; $group->save(); message::success( - t("Changed group %group_name", array("group_name" => p::clean($group->name)))); + t("Changed group %group_name", array("group_name" => $group->name))); print json_encode(array("result" => "success")); } else { message::error( - t("Failed to change group %group_name", array("group_name" => p::clean($group->name)))); + t("Failed to change group %group_name", array("group_name" => $group->name))); print json_encode(array("result" => "error", "form" => $form->__toString())); } diff --git a/modules/user/controllers/login.php b/modules/user/controllers/login.php index 4d901051..b81b17b2 100644 --- a/modules/user/controllers/login.php +++ b/modules/user/controllers/login.php @@ -63,7 +63,7 @@ class Login_Controller extends Controller { log::warning( "user", t("Failed login for %name", - array("name" => p::clean($form->login->inputs["name"]->value)))); + array("name" => $form->login->inputs["name"]->value))); $form->login->inputs["name"]->add_error("invalid_login", 1); $valid = false; } @@ -71,7 +71,7 @@ class Login_Controller extends Controller { if ($valid) { user::login($user); - log::info("user", t("User %name logged in", array("name" => p::clean($user->name)))); + log::info("user", t("User %name logged in", array("name" => $user->name))); } // Either way, regenerate the session id to avoid session trapping diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php index 099b1952..4b141a1c 100644 --- a/modules/user/controllers/logout.php +++ b/modules/user/controllers/logout.php @@ -23,8 +23,8 @@ class Logout_Controller extends Controller { $user = user::active(); user::logout(); - log::info("user", t("User %name logged out", array("name" => p::clean($user->name))), - html::anchor("user/$user->id", p::clean($user->name))); + log::info("user", t("User %name logged out", array("name" => $user->name)), + html::anchor("user/$user->id", SafeString::of($user->name))); if ($continue_url = $this->input->get("continue")) { $item = url::get_item_from_uri($continue_url); if (access::can("view", $item)) { diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php index 2af1b879..066efbba 100644 --- a/modules/user/controllers/password.php +++ b/modules/user/controllers/password.php @@ -74,7 +74,7 @@ class Password_Controller extends Controller { log::success( "user", - t("Password reset email sent for user %name", array("name" => p::clean($user->name)))); + t("Password reset email sent for user %name", array("name" => $user->name))); } else { // Don't include the username here until you're sure that it's XSS safe log::warning( diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php index 542b8b8b..54c4847d 100644 --- a/modules/user/views/admin_users.html.php +++ b/modules/user/views/admin_users.html.php @@ -68,16 +68,16 @@ " title="" - alt="name) ?>" + alt="name) ?>" width="20" height="20" /> - name) ?> + name) ?> - full_name) ?> + full_name) ?> - email) ?> + email) ?> last_login == 0) ? "" : gallery::date($user->last_login) ?> diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php index bfd79dba..f89a4392 100644 --- a/modules/user/views/admin_users_group.html.php +++ b/modules/user/views/admin_users_group.html.php @@ -1,9 +1,9 @@

      - name) ?> + name) ?> special): ?> id") ?>" - title=" p::clean($group->name))) ?>" + title=" $group->name)) ?>" class="gDialogLink gButtonLink ui-state-default ui-corner-all"> @@ -17,12 +17,12 @@