From 9369ccab7fb3413d63e218cec81b4cf43442fd98 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sun, 31 May 2009 01:02:51 -0700
Subject: Run all variables that come from user-entered data through p::clean()

---
 modules/user/views/admin_users.html.php       |  8 ++++----
 modules/user/views/admin_users_group.html.php | 12 ++++++++----
 modules/user/views/login.html.php             |  2 +-
 modules/user/views/reset_password.html.php    | 23 ++++++++++++-----------
 4 files changed, 25 insertions(+), 20 deletions(-)

(limited to 'modules/user')

diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index bec74d28..859f3c8e 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -68,16 +68,16 @@
         <td id="user-<?= $user->id ?>" class="core-info gDraggable">
           <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>"
                title="<?= t("Drag user onto group below to add as a new member") ?>"
-               alt="<?= $user->name ?>"
+               alt="<?= p::clean($user->name) ?>"
                width="20"
                height="20" />
-          <?= $user->name ?>
+          <?= p::clean($user->name) ?>
         </td>
         <td>
-          <?= $user->full_name ?>
+          <?= p::clean($user->full_name) ?>
         </td>
         <td>
-          <?= $user->email ?>
+          <?= p::clean($user->email) ?>
         </td>
         <td>
           <?= ($user->last_login == 0) ? "" : date("j-M-y", $user->last_login) ?>
diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php
index a25e687a..820b3031 100644
--- a/modules/user/views/admin_users_group.html.php
+++ b/modules/user/views/admin_users_group.html.php
@@ -1,8 +1,8 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<strong><?= $group->name ?></strong>
+<strong><?= p::clean($group->name) ?></strong>
 <? if (!$group->special): ?>
 <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
-  title="<?= t("Delete " . $group->name) ?>"
+  title="<?= t("Delete %name", array("name" => p::clean($group->name))) ?>"
   class="gDialogLink gButtonLink ui-state-default ui-corner-all">
   <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
 <? else: ?>
@@ -13,11 +13,15 @@
 <ul>
   <? foreach ($group->users as $i => $user): ?>
   <li class="gUser">
-    <?= $user->name ?>
+    <?= p::clean($user->name) ?>
     <? if (!$group->special): ?>
     <a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)"
        class="gButtonLink ui-state-default ui-corner-all ui-icon-left">
-      <span class="ui-icon ui-icon-closethick">Remove <?= $user->name ?> from <?= $group->name ?></span></a>
+      <span class="ui-icon ui-icon-closethick">
+        <?= t("Remove %user from %group",
+              array("user" => p::clean($user->name), "group" => p::clean($group->name))) ?>
+      </span>
+    </a>
     <? endif ?>
   </li>
   <? endforeach ?>
diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php
index d9a558b5..cce2fb54 100644
--- a/modules/user/views/login.html.php
+++ b/modules/user/views/login.html.php
@@ -11,7 +11,7 @@
                 '<a href="' . url::site("form/edit/users/{$user->id}") .
                 '" title="' . t("Edit Your Profile") .
                 '" id="gUserProfileLink" class="gDialogLink">' .
-                (empty($user->full_name) ? $user->name : $user->full_name) . '</a>')) ?></li>
+                p::clean(empty($user->full_name) ? $user->name : $user->full_name) . '</a>')) ?></li>
   <li><a href="<?= url::site("logout?continue=" . url::current(true)) ?>"
       id="gLogoutLink"><?= t("Logout") ?></a></li>
   <? endif; ?>
diff --git a/modules/user/views/reset_password.html.php b/modules/user/views/reset_password.html.php
index 39845d61..4c4672ee 100644
--- a/modules/user/views/reset_password.html.php
+++ b/modules/user/views/reset_password.html.php
@@ -1,14 +1,15 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
-<head>
-  <title><?= $title ?> </title>
-</head>
-<body>
-  <h2><?= t("Password Reset Request") ?> </h2>
-  <p>
-    <?= sprintf(t("A request to reset your password (user: %s) at %s."), $name, url::base(false, "http")) ?>
-    <?= sprintf(t("To confirm this request please click on the link below")) ?><br />
-    <a href="<?= $url ?>"><?= t("Reset Password") ?></a>
-  </p>
-</body>
+  <head>
+    <title><?= t("Password Reset Request") ?> </title>
+  </head>
+  <body>
+    <h2><?= t("Password Reset Request") ?> </h2>
+    <p>
+      <?= t("Hello, %name,", array("name" => p::clean($user->full_name ? $user->full_name : $user->name))) ?>
+    </p>
+    <p>
+      <?= t("We received a request to reset your password for <a href=\"%site_url\">%site_url</a>.  If you made this request, you can confirm it by <a href=\"%confirm_url\">clicking this link</a>.  If you didn't request this password reset, it's ok to ignore this mail.", array("site_url" => url::base(false, "http"), "confirm_url" => $confirm_url)) ?>
+    </p>
+  </body>
 </html>
-- 
cgit v1.2.3