From 708f27f483d70660446ea2132b02cb7b39225f98 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sun, 31 May 2009 00:11:48 -0700
Subject: Run p::clean() on any variables that contain data entered by users.

---
 .../comment/views/admin_block_recent_comments.html.php |  6 +++---
 modules/comment/views/admin_comments.html.php          | 10 +++++-----
 modules/comment/views/comment.html.php                 |  6 +++---
 modules/comment/views/comments.html.php                |  6 +++---
 modules/exif/views/exif_dialog.html.php                |  4 ++--
 modules/gallery/views/admin_advanced_settings.html.php |  8 ++++----
 modules/gallery/views/admin_block_log_entries.html.php |  2 +-
 .../gallery/views/admin_block_photo_stream.html.php    |  4 ++--
 modules/gallery/views/admin_maintenance.html.php       |  2 +-
 modules/gallery/views/after_install.html.php           |  2 +-
 modules/gallery/views/move_tree.html.php               |  8 ++++----
 modules/gallery/views/permissions_browse.html.php      |  4 ++--
 modules/gallery/views/permissions_form.html.php        |  2 +-
 modules/gallery/views/simple_uploader.html.php         |  6 +++---
 modules/info/views/info_block.html.php                 |  8 ++++----
 modules/notification/views/comment_published.html.php  | 18 +++++++++++-------
 modules/notification/views/item_added.html.php         | 14 +++++++++-----
 modules/search/views/search.html.php                   | 10 ++++++----
 18 files changed, 65 insertions(+), 55 deletions(-)

(limited to 'modules')

diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php
index d7b8d2b0..d5aab84c 100644
--- a/modules/comment/views/admin_block_recent_comments.html.php
+++ b/modules/comment/views/admin_block_recent_comments.html.php
@@ -4,13 +4,13 @@
   <li class="<?= ($i % 2 == 0) ? "gEvenRow" : "gOddRow" ?>">
     <img src="<?= $comment->author()->avatar_url(32, $theme->url("images/avatar.jpg", true)) ?>"
          class="gAvatar"
-         alt="<?= $comment->author_name() ?>"
+         alt="<?= p::clean($comment->author_name()) ?>"
          width="32"
          height="32" />
     <?= date("Y-M-d H:i:s", $comment->created) ?>
     <?= t("<a href=#>%author_name</a> said <em>%comment_text</em>",
-          array("author_name" => $comment->author_name(),
-                "comment_text" => text::limit_words($comment->text, 50))); ?>
+        array("author_name" => p::clean($comment->author_name()),
+                "comment_text" => text::limit_words(p::clean($comment->text), 50))); ?>
   </li>
   <? endforeach ?>
 </ul>
diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php
index 16816636..79bdb1f3 100644
--- a/modules/comment/views/admin_comments.html.php
+++ b/modules/comment/views/admin_comments.html.php
@@ -108,12 +108,12 @@
         <a href="#">
           <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
                class="gAvatar"
-               alt="<?= $comment->author_name() ?>"
+               alt="<?= p::clean($comment->author_name()) ?>"
                width="40"
                height="40" />
         </a>
-        <p><a href="mailto:<?= $comment->author_email() ?>"
-           title="<?= $comment->author_email() ?>"> <?= $comment->author_name() ?> </a></p>
+        <p><a href="mailto:<?= p::clean($comment->author_email()) ?>"
+              title="<?= p::clean($comment->author_email()) ?>"> <?= p::clean($comment->author_name()) ?> </a></p>
       </td>
       <td>
         <div class="right">
@@ -122,7 +122,7 @@
             <a href="<?= $item->url() ?>">
               <? if ($item->has_thumb()): ?>
               <img src="<?= $item->thumb_url() ?>"
-                 alt="<?= $item->title ?>"
+                 alt="<?= p::clean($item->title) ?>"
                  <?= photo::img_dimensions($item->thumb_width, $item->thumb_height, 75) ?>
               />
               <? else: ?>
@@ -132,7 +132,7 @@
           </div>
         </div>
         <p><?= date("Y-M-d", $comment->created); ?></p>
-        <?= $comment->text ?>
+        <?= p::clean($comment->text) ?>
       </td>
       <td>
         <ul class="gButtonSetVertical">
diff --git a/modules/comment/views/comment.html.php b/modules/comment/views/comment.html.php
index 1a674142..0337173b 100644
--- a/modules/comment/views/comment.html.php
+++ b/modules/comment/views/comment.html.php
@@ -4,14 +4,14 @@
     <a href="#">
       <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
            class="gAvatar"
-           alt="<?= $comment->author_name() ?>"
+           alt="<?= p::clean($comment->author_name()) ?>"
            width="40"
            height="40" />
     </a>
     <?= t("on ") . date("Y-M-d H:i:s", $comment->created) ?>
-    <a href="#"><?= $comment->author_name() ?></a> <?= t("said") ?>
+    <a href="#"><?= p::clean($comment->author_name()) ?></a> <?= t("said") ?>
   </p>
   <div>
-    <?= $comment->text ?>
+    <?= p::clean($comment->text) ?>
   </div>
 </li>
diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php
index 25928ab5..95f07baf 100644
--- a/modules/comment/views/comments.html.php
+++ b/modules/comment/views/comments.html.php
@@ -12,16 +12,16 @@
       <a href="#">
         <img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
              class="gAvatar"
-             alt="<?= $comment->author_name() ?>"
+             alt="<?= p::clean($comment->author_name()) ?>"
              width="40"
              height="40" />
       </a>
       <?= t("on %date <a href=#>%name</a> said",
             array("date" => date("Y-M-d H:i:s", $comment->created),
-                  "name" => $comment->author_name())); ?>
+                  "name" => p::clean($comment->author_name()))); ?>
     </p>
     <div>
-      <?= $comment->text ?>
+      <?= p::clean($comment->text) ?>
     </div>
   </li>
   <? endforeach ?>
diff --git a/modules/exif/views/exif_dialog.html.php b/modules/exif/views/exif_dialog.html.php
index d7985a30..6494b2b0 100644
--- a/modules/exif/views/exif_dialog.html.php
+++ b/modules/exif/views/exif_dialog.html.php
@@ -14,14 +14,14 @@
          <?= $details[$i]["caption"] ?>
          </td>
          <td class="gOdd">
-         <?= $details[$i]["value"] ?>
+         <?= p::clean($details[$i]["value"]) ?>
          </td>
          <? if (!empty($details[++$i])): ?>
            <td class="gEven">
            <?= $details[$i]["caption"] ?>
            </td>
            <td class="gOdd">
-           <?= $details[$i]["value"] ?>
+           <?= p::clean($details[$i]["value"]) ?>
            </td>
          <? else: ?>
            <td class="gEven"></td><td class="gOdd"></td>
diff --git a/modules/gallery/views/admin_advanced_settings.html.php b/modules/gallery/views/admin_advanced_settings.html.php
index 9f90d671..77aff050 100644
--- a/modules/gallery/views/admin_advanced_settings.html.php
+++ b/modules/gallery/views/admin_advanced_settings.html.php
@@ -20,12 +20,12 @@
     <? if ($var->module_name == "gallery" && $var->name == "_cache") continue ?>
     <tr class="setting">
       <td> <?= $var->module_name ?> </td>
-      <td> <?= $var->name ?> </td>
+      <td> <?= p::clean($var->name) ?> </td>
       <td>
-        <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/$var->name") ?>"
+        <a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . p::clean($var->name)) ?>"
           class="gDialogLink"
-          title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name)) ?>">
-          <?= $var->value ?>
+          title="<?= t("Edit %var (%module_name)", array("var" => p::clean($var->name), "module_name" => $var->module_name)) ?>">
+          <?= p::clean($var->value) ?>
       </a>
       </td>
     </tr>
diff --git a/modules/gallery/views/admin_block_log_entries.html.php b/modules/gallery/views/admin_block_log_entries.html.php
index db6313e1..5d8f3084 100644
--- a/modules/gallery/views/admin_block_log_entries.html.php
+++ b/modules/gallery/views/admin_block_log_entries.html.php
@@ -2,7 +2,7 @@
 <ul>
   <? foreach ($entries as $entry): ?>
   <li class="<?= log::severity_class($entry->severity) ?>">
-    <a href="<?= url::site("user/$entry->user_id") ?>"><?= $entry->user->name ?></a>
+    <a href="<?= url::site("user/$entry->user_id") ?>"><?= p::clean($entry->user->name) ?></a>
     <?= date("Y-M-d H:i:s", $entry->timestamp) ?>
     <?= $entry->message ?>
     <?= $entry->html ?>
diff --git a/modules/gallery/views/admin_block_photo_stream.html.php b/modules/gallery/views/admin_block_photo_stream.html.php
index e8a4d933..1e1329d1 100644
--- a/modules/gallery/views/admin_block_photo_stream.html.php
+++ b/modules/gallery/views/admin_block_photo_stream.html.php
@@ -2,9 +2,9 @@
 <ul>
 <? foreach ($photos as $photo): ?>
   <li class="gItem gPhoto">
-    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= $photo->title ?>">
+    <a href="<?= url::site("photos/$photo->id") ?>" title="<?= p::clean($photo->title) ?>">
       <img <?= photo::img_dimensions($photo->width, $photo->height, 72) ?>
-        src="<?= $photo->thumb_url() ?>" alt="<?= $photo->title ?>" />
+        src="<?= $photo->thumb_url() ?>" alt="<?= p::clean($photo->title) ?>" />
     </a>
   </li>
 <? endforeach ?>
diff --git a/modules/gallery/views/admin_maintenance.html.php b/modules/gallery/views/admin_maintenance.html.php
index bc060a7b..66c4eea0 100644
--- a/modules/gallery/views/admin_maintenance.html.php
+++ b/modules/gallery/views/admin_maintenance.html.php
@@ -90,7 +90,7 @@
           <?= $task->status ?>
         </td>
         <td>
-          <?= $task->owner()->name ?>
+          <?= p::clean($task->owner()->name) ?>
         </td>
         <td>
           <? if ($task->state == "stalled"): ?>
diff --git a/modules/gallery/views/after_install.html.php b/modules/gallery/views/after_install.html.php
index aa26858a..d6ba8e7c 100644
--- a/modules/gallery/views/after_install.html.php
+++ b/modules/gallery/views/after_install.html.php
@@ -8,7 +8,7 @@
 </p>
 
 <p>
-  <?= t("You're logged in to the <b>%user_name</b> account.  The very first thing you should do is to change your password to something that you'll remember.", array("user_name" => $user->name)) ?>
+  <?= t("You're logged in to the <b>%user_name</b> account.  The very first thing you should do is to change your password to something that you'll remember.", array("user_name" => p::clean($user->name))) ?>
 </p>
 
 <p>
diff --git a/modules/gallery/views/move_tree.html.php b/modules/gallery/views/move_tree.html.php
index a3a4bc8f..91a2f9da 100644
--- a/modules/gallery/views/move_tree.html.php
+++ b/modules/gallery/views/move_tree.html.php
@@ -1,18 +1,18 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <?= $parent->thumb_tag(array(), 25); ?>
 <? if (!access::can("edit", $parent) || $source->is_descendant($parent)): ?>
-<a href="javascript:load_tree('<?= $parent->id ?>',1)"> <?= $parent->title ?> <?= t("(locked)") ?> </a>
+<a href="javascript:load_tree('<?= $parent->id ?>',1)"> <?= p::clean($parent->title) ?> <?= t("(locked)") ?> </a>
 <? else: ?>
-<a href="javascript:load_tree('<?= $parent->id ?>',0)"> <?= $parent->title ?></a>
+<a href="javascript:load_tree('<?= $parent->id ?>',0)"> <?= p::clean($parent->title) ?></a>
 <? endif ?>
 <ul id="tree_<?= $parent->id ?>">
   <? foreach ($children as $child): ?>
   <li id="node_<?= $child->id ?>" class="node">
     <?= $child->thumb_tag(array(), 25); ?>
     <? if (!access::can("edit", $child) || $source->is_descendant($child)): ?>
-    <a href="javascript:load_tree('<?= $child->id ?>',1)"> <?= $child->title ?> <?= t("(locked)") ?></a>
+    <a href="javascript:load_tree('<?= $child->id ?>',1)"> <?= p::clean($child->title) ?> <?= t("(locked)") ?></a>
     <? else: ?>
-    <a href="javascript:load_tree('<?= $child->id ?>',0)"> <?= $child->title ?> </a>
+    <a href="javascript:load_tree('<?= $child->id ?>',0)"> <?= p::clean($child->title) ?> </a>
     <? endif ?>
   </li>
   <? endforeach ?>
diff --git a/modules/gallery/views/permissions_browse.html.php b/modules/gallery/views/permissions_browse.html.php
index 749bee4f..5cd9cf82 100644
--- a/modules/gallery/views/permissions_browse.html.php
+++ b/modules/gallery/views/permissions_browse.html.php
@@ -35,14 +35,14 @@
     <? foreach ($parents as $parent): ?>
     <li>
       <a href="javascript:show(<?= $parent->id ?>)">
-        <?= $parent->title ?>
+        <?= p::clean($parent->title) ?>
       </a>
       <div class="form" id="edit-<?= $parent->id ?>"></div>
       <ul>
         <? endforeach ?>
         <li>
           <a href="javascript:show(<?= $item->id ?>)">
-            <?= $item->title ?>
+            <?= p::clean($item->title) ?>
           </a>
           <div class="form" id="edit-<?= $item->id ?>">
             <?= $form ?>
diff --git a/modules/gallery/views/permissions_form.html.php b/modules/gallery/views/permissions_form.html.php
index 94103705..adf2bd94 100644
--- a/modules/gallery/views/permissions_form.html.php
+++ b/modules/gallery/views/permissions_form.html.php
@@ -6,7 +6,7 @@
     <tr>
       <th> </th>
       <? foreach ($groups as $group): ?>
-      <th> <?= $group->name ?> </th>
+      <th> <?= p::clean($group->name) ?> </th>
       <? endforeach ?>
     </tr>
 
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index b6725c31..abda6d26 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -5,7 +5,7 @@
 <!-- hack to set the title for the dialog -->
 <form id="gAddPhotosForm" action="<?= url::site("simple_uploader/finish") ?>">
   <fieldset>
-    <legend> <?= t("Add photos to %album_title", array("album_title" => $item->title)) ?> </legend>
+    <legend> <?= t("Add photos to %album_title", array("album_title" => p::clean($item->title))) ?> </legend>
   </fieldset>
 </form>
 
@@ -25,9 +25,9 @@
   </p>
   <ul class="gBreadcrumbs">
     <? foreach ($item->parents() as $parent): ?>
-    <li> <?= $parent->title ?> </li>
+    <li> <?= p::clean($parent->title) ?> </li>
     <? endforeach ?>
-    <li class="active"> <?= $item->title ?> </li>
+    <li class="active"> <?= p::clean($item->title) ?> </li>
   </ul>
 
   <p><?= t("Upload Queue") ?></p>
diff --git a/modules/info/views/info_block.html.php b/modules/info/views/info_block.html.php
index 880d5d3e..db664894 100644
--- a/modules/info/views/info_block.html.php
+++ b/modules/info/views/info_block.html.php
@@ -3,18 +3,18 @@
   <tbody>
     <tr>
       <th><?= t("Title:") ?></th>
-      <td><?= $item->title; ?></td>
+      <td><?= p::clean($item->title) ?></td>
     </tr>
     <? if ($item->description): ?>
     <tr>
       <th><?= t("Description:") ?></th>
-      <td><?= $item->description; ?></td>
+      <td><?= p::clean($item->description) ?></td>
     </tr>
     <? endif ?>
     <? if ($item->id != 1): ?>
     <tr>
       <th><?= t("Name:") ?></th>
-      <td><?= $item->name; ?></td>
+      <td><?= p::clean($item->name) ?></td>
     </tr>
     <? endif ?>
     <? if ($item->captured): ?>
@@ -26,7 +26,7 @@
     <? if ($item->owner): ?>
     <tr>
       <th><?= t("Owner:") ?></th>
-      <td><a href="#"><?= $item->owner->name ?></a></td>
+      <td><a href="#"><?= p::clean($item->owner->name) ?></a></td>
     </tr>
     <? endif ?>
   </tbody>
diff --git a/modules/notification/views/comment_published.html.php b/modules/notification/views/comment_published.html.php
index 23588c72..ff2ba0bc 100644
--- a/modules/notification/views/comment_published.html.php
+++ b/modules/notification/views/comment_published.html.php
@@ -1,30 +1,34 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= $subject ?> </title>
+    <title><?= p::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= $subject ?></h2>
+    <h2><?= p::clean($subject) ?></h2>
     <table>
       <tr>
         <td><?= t("Comment:") ?></td>
-        <td><?= $comment->text ?></td>
+        <td><?= p::clean($comment->text) ?></td>
       </tr>
       <tr>
         <td><?= t("Author Name:") ?></td>
-        <td><?= $comment->author_name() ?></td>
+        <td><?= p::clean($comment->author_name()) ?></td>
       </tr>
       <tr>
         <td><?= t("Author Email:") ?></td>
-        <td><?= $comment->author_email() ?></td>
+        <td><?= p::clean($comment->author_email()) ?></td>
       </tr>
       <tr>
         <td><?= t("Author URL:") ?></td>
-        <td><?= $comment->author_url() ?></td>
+        <td><?= p::clean($comment->author_url()) ?></td>
       </tr>
       <tr>
         <td><?= t("Url:") ?></td>
-        <td><a href="<?= $comment->item()->url(array(), true) ?>#comments"><?= $comment->item()->url(array(), true) ?>#comments</a></td>
+        <td>
+          <a href="<?= $comment->item()->url(array(), true) ?>#comments">
+            <?= $comment->item()->url(array(), true) ?>#comments
+          </a>
+        </td>
       </tr>
     </table>
   </body>
diff --git a/modules/notification/views/item_added.html.php b/modules/notification/views/item_added.html.php
index b67b9f38..32857c08 100644
--- a/modules/notification/views/item_added.html.php
+++ b/modules/notification/views/item_added.html.php
@@ -1,23 +1,27 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
   <head>
-    <title><?= $subject ?> </title>
+    <title><?= p::clean($subject) ?> </title>
   </head>
   <body>
-    <h2><?= $subject ?></h2>
+    <h2><?= p::clean($subject) ?></h2>
     <table>
       <tr>
         <td><?= t("Title:") ?></td>
-        <td><?= $item->title ?></td>
+        <td><?= p::clean($item->title) ?></td>
       </tr>
       <tr>
         <td><?= t("Url:") ?></td>
-        <td><a href="<?= $item->url(array(), true) ?>"><?= $item->url(array(), true) ?></a></td>
+        <td>
+          <a href="<?= $item->url(array(), true) ?>">
+            <?= $item->url(array(), true) ?>
+          </a>
+        </td>
       </tr>
       <? if ($item->description): ?>
       <tr>
         <td><?= t("Description:") ?></td>
-        <td><?= $item->description ?></td>
+        <td><?= p::clean($item->description) ?></td>
       </tr>
       <? endif ?>
     </table>
diff --git a/modules/search/views/search.html.php b/modules/search/views/search.html.php
index fb1fd8a9..de4343ae 100644
--- a/modules/search/views/search.html.php
+++ b/modules/search/views/search.html.php
@@ -8,7 +8,7 @@
     <ul>
       <li>
         <label for="q"><?= t("Search the gallery") ?></label>
-        <input name="q" id="q" type="text" value="<?= $q ?>"/>
+        <input name="q" id="q" type="text" value="<?= p::clean($q) ?>"/>
       </li>
       <li>
         <input type="submit" value="<?= t("Search") ?>" />
@@ -31,10 +31,10 @@
       <a href="<?= url::site("items/$item->id") ?>">
         <?= $item->thumb_tag() ?>
         <p>
-          <?= $item->title ?>
+          <?= p::clean($item->title) ?>
         </p>
         <div>
-          <?= $item->description ?>
+          <?= p::clean($item->description) ?>
         </div>
       </a>
     </li>
@@ -43,7 +43,9 @@
   <?= $theme->pager() ?>
 
   <? else: ?>
-  <p><?= t("No results found for '") . $q . "'" ?></p>
+  <p>
+    <?= t("No results found for <b>%term</b>", array("term" => p::clean($q))) ?>
+  </p>
 
   <? endif; ?>
 </div>
-- 
cgit v1.2.3