From d5660d2d3ea6e8172272f1eb27e8071a1a42d87b Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 13:41:18 -0700
Subject: Fixing all detected XSS vectors in PHP->JS code.

Xss: Rename UNKNOWN back to DIRTY, JS_XSS to DIRTY_JS.
(using a different flag value to highlight potential XSS vectors in JS)
---
 themes/admin_default/views/admin.html.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'themes/admin_default')

diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php
index d27f9260..61821428 100644
--- a/themes/admin_default/views/admin.html.php
+++ b/themes/admin_default/views/admin.html.php
@@ -23,7 +23,7 @@
    <?= $theme->script("gallery.common.js") ?>
    <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
    <script type="text/javascript">
-   var MSG_CANCEL = "<?= t('Cancel') ?>";
+   var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
    </script>
    <?= $theme->script("gallery.dialog.js") ?>
    <?= $theme->script("superfish/js/superfish.js") ?>
-- 
cgit v1.2.3


From 00c73ec852c29c214d72193ce368bc12a7305794 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sun, 30 Aug 2009 15:34:46 -0700
Subject: Updating uses of html::js_string and SafeString::for_js (value now
 contains string delimiters)

---
 modules/gallery/views/admin_languages.html.php    | 86 +++++++++++------------
 modules/gallery/views/l10n_client.html.php        | 10 +--
 modules/gallery/views/permissions_browse.html.php | 17 ++---
 modules/gallery/views/simple_uploader.html.php    | 50 ++++++-------
 themes/admin_default/views/admin.html.php         |  2 +-
 themes/default/views/page.html.php                |  4 +-
 themes/default/views/photo.html.php               |  2 +-
 7 files changed, 85 insertions(+), 86 deletions(-)

(limited to 'themes/admin_default')

diff --git a/modules/gallery/views/admin_languages.html.php b/modules/gallery/views/admin_languages.html.php
index ae2b3383..fa97d299 100644
--- a/modules/gallery/views/admin_languages.html.php
+++ b/modules/gallery/views/admin_languages.html.php
@@ -11,12 +11,11 @@
       <tr>
         <th> <?= t("Installed") ?> </th>
         <th> <?= t("Language") ?> </th>
-				<th> <?= t("Default language") ?> </th>
+        <th> <?= t("Default language") ?> </th>
       </tr>
       <? $i = 0 ?>
       <? foreach ($available_locales as $code => $display_name):  ?>
-			
-			<? if ($i == (count($available_locales)/2)): ?>
+      <? if ($i == (count($available_locales)/2)): ?>
       <table>
         <tr>
           <th> <?= t("Installed") ?> </th>
@@ -24,24 +23,24 @@
           <th> <?= t("Default language") ?> </th>
         </tr>
       <? endif ?>
-			
+
       <tr class="<?= (isset($installed_locales[$code])) ? "installed" : "" ?><?= ($default_locale == $code) ? " default" : "" ?>">
         <td> <?= form::checkbox("installed_locales[]", $code, isset($installed_locales[$code])) ?> </td>
-				<td> <?= $display_name ?> </td>
-				<td>
-					<?= form::radio("default_locale", $code, ($default_locale == $code), ((isset($installed_locales[$code]))?'':'disabled="disabled"') ) ?>
-				</td>
+        <td> <?= $display_name ?> </td>
+        <td>
+        <?= form::radio("default_locale", $code, ($default_locale == $code), ((isset($installed_locales[$code]))?'':'disabled="disabled"') ) ?>
+        </td>
       </tr>
       <? $i++ ?>
-			
+
       <? endforeach ?>
     </table>
-		<input type="submit" value="<?= t("Update languages")->for_html_attr() ?>" />
+    <input type="submit" value="<?= t("Update languages")->for_html_attr() ?>" />
   </form>
-	
-	<script type="text/javascript">
-    var old_default_locale = "<?= html::clean_js($default_locale) ?>";
-    
+
+  <script type="text/javascript">
+    var old_default_locale = <?= html::js_string($default_locale) ?>;
+
     $("input[name='installed_locales[]']").change(function (event) {
       if (this.checked) {
         $("input[type='radio'][value='" + this.value + "']").enable();
@@ -57,7 +56,7 @@
       dataType: "json",
       success: function(data) {
         if (data.result == "success") {
-          el = $('<a href="<?= html::clean_js(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
+          el = $('<a href="' + <?= html::js_string(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?> + '"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
           el.gallery_dialog();
           el.trigger('click');
         }
@@ -68,38 +67,37 @@
 
 <div id="gTranslations">
   <h1> <?= t("Translations") ?> </h1>
-	<p>
+  <p>
     <?= t("Create your own translations and share them with the rest of the Gallery community.") ?>
   </p>
-	
-	<h3><?= t("Translating Gallery") ?></h3>
-	
-	<div class="gBlock">
-		<a href="http://codex.gallery2.org/Gallery3:Localization" target="_blank"
-		  class="gDocLink ui-state-default ui-corner-all ui-icon ui-icon-help"
-			title="<?= t("Localization documentation")->for_html_attr() ?>">
+
+  <h3><?= t("Translating Gallery") ?></h3>
+
+  <div class="gBlock">
+    <a href="http://codex.gallery2.org/Gallery3:Localization" target="_blank"
+       class="gDocLink ui-state-default ui-corner-all ui-icon ui-icon-help"
+       title="<?= t("Localization documentation")->for_html_attr() ?>">
       <?= t("Localization documentation") ?>
     </a>
-		
-		<p><?= t("<strong>Step 1:</strong> Make sure the target language is installed and up to date (check above).") ?></p>
-		
-      <p><?= t("<strong>Step 2:</strong> Make sure you have selected the right  target language (currently %default_locale).",
-               array("default_locale" => locales::display_name())) ?></p>
-		
-		<p><?= t("<strong>Step 3:</strong> Start the translation mode and the translation interface will appear at the bottom of each Gallery page.") ?></p>
-		
-		<a href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>"
-		  class="gButtonLink ui-state-default ui-corner-all ui-icon-left">
-		  <span class="ui-icon ui-icon-power"></span>
-                  <? if (Session::instance()->get("l10n_mode", false)): ?>
-                  <?= t("Stop translation mode") ?>
-                  <? else: ?>
-                  <?= t("Start translation mode") ?>
-                  <? endif ?>
-	  </a>
-	</div>
-	
-	<h3>Sharing your translations</h3>
-	
+
+    <p><?= t("<strong>Step 1:</strong> Make sure the target language is installed and up to date (check above).") ?></p>
+
+    <p><?= t("<strong>Step 2:</strong> Make sure you have selected the right  target language (currently %default_locale).",
+             array("default_locale" => locales::display_name())) ?></p>
+
+    <p><?= t("<strong>Step 3:</strong> Start the translation mode and the translation interface will appear at the bottom of each Gallery page.") ?></p>
+
+    <a href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>"
+       class="gButtonLink ui-state-default ui-corner-all ui-icon-left">
+      <span class="ui-icon ui-icon-power"></span>
+      <? if (Session::instance()->get("l10n_mode", false)): ?>
+      <?= t("Stop translation mode") ?>
+      <? else: ?>
+      <?= t("Start translation mode") ?>
+      <? endif ?>
+   </a>
+</div>
+
+<h3>Sharing your translations</h3>
   <?= $share_translations_form ?>
 </div>
diff --git a/modules/gallery/views/l10n_client.html.php b/modules/gallery/views/l10n_client.html.php
index 520fd79e..aca1e654 100644
--- a/modules/gallery/views/l10n_client.html.php
+++ b/modules/gallery/views/l10n_client.html.php
@@ -2,9 +2,9 @@
 <div id="l10n-client" class="hidden">
   <div class="labels">
     <span id="l10n-client-toggler">
-    	<a id="gMinimizeL10n">_</a>
-			<a id="gCloseL10n" href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>">X</a>
-	  </span>
+      <a id="gMinimizeL10n">_</a>
+      <a id="gCloseL10n" href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>">X</a>
+    </span>
     <div class="label strings"><h2><?= t("Page Text") ?>
     <? if (!Input::instance()->get('show_all_l10n_messages')): ?>
       <a style="background-color:#fff" href="<?= url::site("admin/languages?show_all_l10n_messages=1") ?>"><?= t("(Show All)") ?></a>
@@ -72,8 +72,8 @@
     </div>
   </div>
   <script type="text/javascript">
-    var MSG_TRANSLATE_TEXT = "<?= t("Translate Text")->for_js() ?>";
-    var MSG_CLOSE_X = "<?= t("X")->for_js() ?>";
+    var MSG_TRANSLATE_TEXT = <?= t("Translate Text")->for_js() ?>;
+    var MSG_CLOSE_X = <?= t("X")->for_js() ?>;
     var l10n_client_data = <?= json_encode($string_list) ?>;
     var plural_forms = <?= json_encode($plural_forms) ?>;
   </script>
diff --git a/modules/gallery/views/permissions_browse.html.php b/modules/gallery/views/permissions_browse.html.php
index d9395b3f..231daa04 100644
--- a/modules/gallery/views/permissions_browse.html.php
+++ b/modules/gallery/views/permissions_browse.html.php
@@ -5,9 +5,9 @@
     $.ajax({
       url: form_url.replace("__ITEM__", id),
       success: function(data) {
-		    $("#gEditPermissionForm").html(data);
-		    $(".active").removeClass("active");
-		    $("#item-" + id).addClass("active");
+          $("#gEditPermissionForm").html(data);
+          $(".active").removeClass("active");
+          $("#item-" + id).addClass("active");
       }
     });
   }
@@ -28,13 +28,14 @@
   <? if (!$htaccess_works): ?>
   <ul id="gMessage">
     <li class="gError">
-      <?= t("Oh no!  Your server needs a configuration change in order for you to hide photos!  Ask your server administrator to enable <a %mod_rewrite_attrs>mod_rewrite</a> and set <a %apache_attrs><i>AllowOverride FileInfo Options</i></a> to fix this.", array("mod_rewrite_attrs" => "href=\"http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html\" target=\"_blank\"", "apache_attrs" => "href=\"http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride\" target=\"_blank\"")) ?>
+      <?= t("Oh no!  Your server needs a configuration change in order for you to hide photos!  Ask your server administrator to enable <a %mod_rewrite_attrs>mod_rewrite</a> and set <a %apache_attrs><i>AllowOverride FileInfo Options</i></a> to fix this.",
+            array("mod_rewrite_attrs" => html::mark_safe("href=\"http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html\" target=\"_blank\"", "apache_attrs" => "href=\"http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride\" target=\"_blank\""))) ?>
     </li>
   </ul>
   <? endif ?>
-  
+
   <p><?= t("Edit permissions for album:") ?></p>
-  
+
   <ul class="gBreadcrumbs">
     <? foreach ($parents as $parent): ?>
     <li id="item-<?= $parent->id ?>">
@@ -45,11 +46,11 @@
     <? endforeach ?>
     <li class="active" id="item-<?= $item->id ?>">
       <a href="javascript:show(<?= $item->id ?>)">
-    	<?= html::purify($item->title) ?>
+        <?= html::purify($item->title) ?>
       </a>
     </li>
   </ul>
-  
+
   <div id="gEditPermissionForm">
     <?= $form ?>
   </div>
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index ccb166fc..9cf554ec 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -82,22 +82,22 @@
 
 <script type="text/javascript">
   var swfu = new SWFUpload({
-    flash_url: "<?= html::clean_js(url::file("lib/swfupload/swfupload.swf")) ?>",
-    upload_url: "<?= html::clean_js(url::site("simple_uploader/add_photo/$item->id")) ?>",
+    flash_url: <?= html::js_string(url::file("lib/swfupload/swfupload.swf")) ?>,
+    upload_url: <?= html::js_string(url::site("simple_uploader/add_photo/$item->id")) ?>,
     post_params: <?= json_encode(array(
       "g3sid" => Session::instance()->id(),
       "user_agent" => Input::instance()->server("HTTP_USER_AGENT"),
       "csrf" => $csrf)) ?>,
-    file_size_limit: "<?= html::clean_js(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB") ?>",
+    file_size_limit: <?= html::js_string(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB") ?>,
     file_types: "*.gif;*.jpg;*.jpeg;*.png;*.flv;*.mp4;*.GIF;*.JPG;*.JPEG;*.PNG;*.FLV;*.MP4",
-    file_types_description: "<?= t("Photos and Movies")->for_js() ?>",
+    file_types_description: <?= t("Photos and Movies")->for_js() ?>,
     file_upload_limit: 1000,
     file_queue_limit: 0,
     custom_settings: { },
     debug: false,
 
     // Button settings
-    button_image_url: "<?= html::clean_js(url::file("themes/default/images/select-photos-backg.png")) ?>",
+    button_image_url: <?= html::js_string(url::file("themes/default/images/select-photos-backg.png")) ?>,
     button_width: "202",
     button_height: "45",
     button_placeholder_id: "gChooseFilesButtonPlaceholder",
@@ -145,13 +145,13 @@
   function file_queued(file) {
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("pending", "<?= t("Pending...")->for_js() ?>");
+    fp.set_status("pending", <?= t("Pending...")->for_js() ?>);
     // @todo add cancel button to call this.cancelUpload(file.id)
   }
 
   function file_queue_error(file, error_code, message) {
     if (error_code === SWFUpload.QUEUE_ERROR.QUEUE_LIMIT_EXCEEDED) {
-      alert("<?= t("You have attempted to queue too many files.")->for_js() ?>");
+      alert(<?= t("You have attempted to queue too many files.")->for_js() ?>);
       return;
     }
 
@@ -159,20 +159,20 @@
     switch (error_code) {
     case SWFUpload.QUEUE_ERROR.FILE_EXCEEDS_SIZE_LIMIT:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize")))->for_js() ?>");
+      fp.set_status("error", <?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize")))->for_js() ?>);
       break;
     case SWFUpload.QUEUE_ERROR.ZERO_BYTE_FILE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Cannot upload empty files.")->for_js() ?>");
+      fp.set_status("error", <?= t("Cannot upload empty files.")->for_js() ?>);
       break;
     case SWFUpload.QUEUE_ERROR.INVALID_FILETYPE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Invalid file type.")->for_js() ?>");
+      fp.set_status("error", <?= t("Invalid file type.")->for_js() ?>);
       break;
     default:
       if (file !== null) {
         fp.title.html(file.name);
-        fp.set_status("error", "<?= t("Unknown error")->for_js() ?>");
+        fp.set_status("error", <?= t("Unknown error")->for_js() ?>);
       }
       break;
     }
@@ -193,7 +193,7 @@
     // no uploadProgress events are called (limitation in the Linux Flash VM).
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
+    fp.set_status("uploading", <?= t("Uploading...")->for_js() ?>);
     $("#gAddPhotosCanvas").scrollTo(fp.box, 1000);
     return true;
     // @todo add cancel button to call this.cancelUpload(file.id)
@@ -202,7 +202,7 @@
   function upload_progress(file, bytes_loaded, bytes_total) {
     var percent = Math.ceil((bytes_loaded / bytes_total) * 100);
     var fp = new File_Progress(file);
-    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
+    fp.set_status("uploading", <?= t("Uploading...")->for_js() ?>);
     fp.progress_bar.css("visibility", "visible");
     fp.progress_bar.progressbar("value", percent);
   }
@@ -210,42 +210,42 @@
   function upload_success(file, serverData) {
     var fp = new File_Progress(file);
     fp.progress_bar.progressbar("value", 100);
-    fp.set_status("complete", "<?= t("Complete.")->for_js() ?>");
+    fp.set_status("complete", <?= t("Complete.")->for_js() ?>);
   }
 
   function upload_error(file, error_code, message) {
     var fp = new File_Progress(file);
     switch (error_code) {
     case SWFUpload.UPLOAD_ERROR.HTTP_ERROR:
-      fp.set_status("error", "<?= t("Upload error: bad image file")->for_js() ?>");
+      fp.set_status("error", <?= t("Upload error: bad image file")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_FAILED:
-      fp.set_status("error", "<?= t("Upload failed")->for_js() ?>");
+      fp.set_status("error", <?= t("Upload failed")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.IO_ERROR:
-      fp.set_status("error", "<?= t("Server error")->for_js() ?>");
+      fp.set_status("error", <?= t("Server error")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.SECURITY_ERROR:
-      fp.set_status("error", "<?= t("Security error")->for_js() ?>");
+      fp.set_status("error", <?= t("Security error")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_LIMIT_EXCEEDED:
-      fp.set_status("error", "<?= t("Upload limit exceeded")->for_js() ?>");
+      fp.set_status("error", <?= t("Upload limit exceeded")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_VALIDATION_FAILED:
-      fp.set_status("error", "<?= t("Failed validation.  File skipped")->for_js() ?>");
+      fp.set_status("error", <?= t("Failed validation.  File skipped")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_CANCELLED:
       // If there aren't any files left (they were all cancelled) disable the cancel button
       if (this.getStats().files_queued === 0) {
         $("#gUploadCancel").hide();
       }
-      fp.set_status("error", "<?= t("Cancelled")->for_js() ?>");
+      fp.set_status("error", <?= t("Cancelled")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_STOPPED:
-      fp.set_status("error", "<?= t("Stopped")->for_js() ?>");
+      fp.set_status("error", <?= t("Stopped")->for_js() ?>);
       break;
     default:
-      fp.set_status("error", "<?= t("Unknown error: ")->for_js() ?>" + error_code);
+      fp.set_status("error", <?= t("Unknown error: ")->for_js() ?> + error_code);
       break;
     }
   }
@@ -259,7 +259,7 @@
   }
 
   function get_completed_status_msg(stats) {
-    var msg = "<?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__"))->for_js() ?>";
+    var msg = <?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__"))->for_js() ?>;
     msg = msg.replace("__COMPLETED__", stats.successful_uploads);
     msg = msg.replace("__TOTAL__", stats.files_queued + stats.successful_uploads +
       stats.upload_errors + stats.upload_cancelled + stats.queue_errors);
@@ -268,7 +268,7 @@
 
   // This event comes from the Queue Plugin
   function queue_complete(num_files_uploaded) {
-    var status_msg = "<?= t("Uploaded: __COUNT__")->for_js() ?>";
+    var status_msg = <?= t("Uploaded: __COUNT__")->for_js() ?>;
     $("#gUploadStatus").html(status_msg.replace("__COUNT__", num_files_uploaded));
   }
 </script>
diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php
index 2ed8c38e..3b1ff92c 100644
--- a/themes/admin_default/views/admin.html.php
+++ b/themes/admin_default/views/admin.html.php
@@ -23,7 +23,7 @@
    <?= $theme->script("gallery.common.js") ?>
    <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
    <script type="text/javascript">
-   var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
+   var MSG_CANCEL = <?= t('Cancel')->for_js() ?>;
    </script>
    <?= $theme->script("gallery.ajax.js") ?>
    <?= $theme->script("gallery.dialog.js") ?>
diff --git a/themes/default/views/page.html.php b/themes/default/views/page.html.php
index 844ef295..2696442b 100644
--- a/themes/default/views/page.html.php
+++ b/themes/default/views/page.html.php
@@ -12,7 +12,7 @@
           <? if ($theme->item()->is_album()): ?>
           <?= t("Browse Album :: %album_title", array("album_title" => $theme->item()->title)) ?>
           <? elseif ($theme->item()->is_photo()): ?>
-	  <?= t("Photo :: %photo_title", array("photo_title" => $theme->item()->title)) ?>
+          <?= t("Photo :: %photo_title", array("photo_title" => $theme->item()->title)) ?>
           <? else: ?>
           <?= t("Movie :: %movie_title", array("movie_title" => $theme->item()->title)) ?>
           <? endif ?>
@@ -51,7 +51,7 @@
     <?= $theme->script("gallery.common.js") ?>
     <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
     <script type="text/javascript">
-    var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
+    var MSG_CANCEL = <?= t('Cancel')->for_js() ?>;
     </script>
     <?= $theme->script("gallery.ajax.js") ?>
     <?= $theme->script("gallery.dialog.js") ?>
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 00e157ce..5289b467 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -5,7 +5,7 @@
 <script>
   $(document).ready(function() {
     $(".gFullSizeLink").click(function() {
-      $.gallery_show_full_size("<?= html::clean_js($theme->item()->file_url()) ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
+      $.gallery_show_full_size(<?= html::js_string($theme->item()->file_url()) ?>, "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
       return false;
     });
   });
-- 
cgit v1.2.3