From c01ac42c4604b3b129e8089e0dc683ebd418b380 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 12:48:40 -0700
Subject: Refactor all calls of p::clean() to SafeString::of() and p::purify()
 to SafeString::purify().

Removing any p::clean() calls for arguments to t() and t2() since their args are wrapped in a SafeString anyway.
---
 themes/default/views/page.html.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'themes/default/views/page.html.php')

diff --git a/themes/default/views/page.html.php b/themes/default/views/page.html.php
index 66282bae..ea2be37b 100644
--- a/themes/default/views/page.html.php
+++ b/themes/default/views/page.html.php
@@ -10,14 +10,14 @@
       <? else: ?>
         <? if ($theme->item()): ?>
           <? if ($theme->item()->is_album()): ?>
-          <?= t("Browse Album :: %album_title", array("album_title" => p::clean($theme->item()->title))) ?>
+          <?= t("Browse Album :: %album_title", array("album_title" => $theme->item()->title)) ?>
           <? elseif ($theme->item()->is_photo()): ?>
-          <?= t("Photo :: %photo_title", array("photo_title" => p::clean($theme->item()->title))) ?>
+	  <?= t("Photo :: %photo_title", array("photo_title" => $theme->item()->title)) ?>
           <? else: ?>
-          <?= t("Movie :: %movie_title", array("movie_title" => p::clean($theme->item()->title))) ?>
+          <?= t("Movie :: %movie_title", array("movie_title" => $theme->item()->title)) ?>
           <? endif ?>
         <? elseif ($theme->tag()): ?>
-          <?= t("Browse Tag :: %tag_title", array("tag_title" => p::clean($theme->tag()->name))) ?>
+          <?= t("Browse Tag :: %tag_title", array("tag_title" => $theme->tag()->name)) ?>
         <? else: /* Not an item, not a tag, no page_title specified.  Help! */ ?>
           <?= t("Gallery") ?>
         <? endif ?>
-- 
cgit v1.2.3


From d5660d2d3ea6e8172272f1eb27e8071a1a42d87b Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 13:41:18 -0700
Subject: Fixing all detected XSS vectors in PHP->JS code.

Xss: Rename UNKNOWN back to DIRTY, JS_XSS to DIRTY_JS.
(using a different flag value to highlight potential XSS vectors in JS)
---
 modules/gallery/tests/Xss_Security_Test.php    | 15 +++++--
 modules/gallery/views/l10n_client.html.php     |  4 +-
 modules/gallery/views/simple_uploader.html.php | 61 +++++++++++++-------------
 modules/organize/views/organize.html.php       | 16 +++----
 themes/admin_default/views/admin.html.php      |  2 +-
 themes/default/views/movie.html.php            |  2 +-
 themes/default/views/page.html.php             |  2 +-
 themes/default/views/photo.html.php            |  4 +-
 8 files changed, 56 insertions(+), 50 deletions(-)

(limited to 'themes/default/views/page.html.php')

diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index fd596c69..690dc760 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -178,10 +178,10 @@ class Xss_Security_Test extends Unit_Test_Case {
      * Generate the report
      *
      * States for uses of < ? = X ? >:
-     * JS_XSS:
+     * DIRTY_JS:
      *   In <script> block
      *     X can be anything without calling ->for_js()
-     * UNKNOWN:
+     * DIRTY:
      *   Outside <script> block:
      *     X can be anything without a call to ->for_html() or ->purified_html()
      * CLEAN:
@@ -196,9 +196,9 @@ class Xss_Security_Test extends Unit_Test_Case {
     ksort($found);
     foreach ($found as $view => $frames) {
       foreach ($frames as $frame) {
-	$state = "UNKNOWN";
+	$state = "DIRTY";
 	if ($frame->in_script_block()) {
-	  $state = "JS_XSS";
+	  $state = "DIRTY_JS";
 	  if ($frame->for_js_called() || $frame->json_encode_called()) {
 	    $state = "CLEAN";
 	  }
@@ -207,6 +207,13 @@ class Xss_Security_Test extends Unit_Test_Case {
 	    $state = "CLEAN";
 	  }
 	}
+
+	if ("CLEAN" == $state) {
+	  // Don't print CLEAN instances - No need to update the golden
+	  // file when adding / moving clean instances.
+	  continue;
+	}
+
 	fprintf($fd, "%-60s %-3s %-8s %s\n",
 		$view, $frame->line(), $state, $frame->expr());
       }
diff --git a/modules/gallery/views/l10n_client.html.php b/modules/gallery/views/l10n_client.html.php
index c73719ca..523552c3 100644
--- a/modules/gallery/views/l10n_client.html.php
+++ b/modules/gallery/views/l10n_client.html.php
@@ -69,8 +69,8 @@
     </div>
   </div>
   <script type="text/javascript">
-    var MSG_TRANSLATE_TEXT = "<?= t("Translate Text") ?>";
-    var MSG_CLOSE_X = "<?= t("X") ?>";
+    var MSG_TRANSLATE_TEXT = "<?= t("Translate Text")->for_js() ?>";
+    var MSG_CLOSE_X = "<?= t("X")->for_js() ?>";
     var l10n_client_data = <?= json_encode($string_list) ?>;
     var plural_forms = <?= json_encode($plural_forms) ?>;
   </script>
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index 56e568f6..fc426e8f 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -82,27 +82,26 @@
 
 <script type="text/javascript">
   var swfu = new SWFUpload({
-    flash_url: "<?= url::file("lib/swfupload/swfupload.swf") ?>",
-    upload_url: "<?= url::site("simple_uploader/add_photo/$item->id") ?>",
-    post_params: {
-      "g3sid": "<?= Session::instance()->id() ?>",
-      "user_agent": "<?= Input::instance()->server("HTTP_USER_AGENT") ?>",
-      "csrf": "<?= $csrf ?>"
-    },
-    file_size_limit: "<?= ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB" ?>",
+    flash_url: "<?= url::file("lib/swfupload/swfupload.swf")->for_js() ?>",
+    upload_url: "<?= url::site("simple_uploader/add_photo/$item->id")->for_js() ?>",
+    post_params: <?= json_encode(array(
+      "g3sid" => Session::instance()->id(),
+      "user_agent" => Input::instance()->server("HTTP_USER_AGENT"),
+      "csrf" => $csrf)) ?>,
+    file_size_limit: "<?= SafeString::of(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB")->for_js() ?>",
     file_types: "*.gif;*.jpg;*.jpeg;*.png;*.flv;*.mp4;*.GIF;*.JPG;*.JPEG;*.PNG;*.FLV;*.MP4",
-    file_types_description: "<?= t("Photos and Movies") ?>",
+    file_types_description: "<?= t("Photos and Movies")->for_js() ?>",
     file_upload_limit: 1000,
     file_queue_limit: 0,
     custom_settings: { },
     debug: false,
 
     // Button settings
-    button_image_url: "<?= url::file("themes/default/images/select-photos-backg.png") ?>",
+    button_image_url: "<?= url::file("themes/default/images/select-photos-backg.png")->for_js() ?>",
     button_width: "202",
     button_height: "45",
     button_placeholder_id: "gChooseFilesButtonPlaceholder",
-    button_text: '<span class="swfUploadFont"><?= t("Select photos...") ?></span>',
+    button_text: <?= json_encode('<span class="swfUploadFont">' . t("Select photos...") . '</span>') ?>,
     button_text_style: ".swfUploadFont { color: #2E6E9E; font-size: 16px; font-family: Lucida Grande,Lucida Sans,Arial,sans-serif; font-weight: bold; }",
     button_text_left_padding: 30,
     button_text_top_padding: 10,
@@ -146,13 +145,13 @@
   function file_queued(file) {
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("pending", "<?= t("Pending...") ?>");
+    fp.set_status("pending", "<?= t("Pending...")->for_js() ?>");
     // @todo add cancel button to call this.cancelUpload(file.id)
   }
 
   function file_queue_error(file, error_code, message) {
     if (error_code === SWFUpload.QUEUE_ERROR.QUEUE_LIMIT_EXCEEDED) {
-      alert("<?= t("You have attempted to queue too many files.") ?>");
+      alert("<?= t("You have attempted to queue too many files.")->for_js() ?>");
       return;
     }
 
@@ -160,20 +159,20 @@
     switch (error_code) {
     case SWFUpload.QUEUE_ERROR.FILE_EXCEEDS_SIZE_LIMIT:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize"))) ?>");
+      fp.set_status("error", "<?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize")))->for_js() ?>");
       break;
     case SWFUpload.QUEUE_ERROR.ZERO_BYTE_FILE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Cannot upload empty files.") ?>");
+      fp.set_status("error", "<?= t("Cannot upload empty files.")->for_js() ?>");
       break;
     case SWFUpload.QUEUE_ERROR.INVALID_FILETYPE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Invalid file type.") ?>");
+      fp.set_status("error", "<?= t("Invalid file type.")->for_js() ?>");
       break;
     default:
       if (file !== null) {
         fp.title.html(file.name);
-        fp.set_status("error", "<?= t("Unknown error") ?>");
+        fp.set_status("error", "<?= t("Unknown error")->for_js() ?>");
       }
       break;
     }
@@ -194,7 +193,7 @@
     // no uploadProgress events are called (limitation in the Linux Flash VM).
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("uploading", "<?= t("Uploading...") ?>");
+    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
     $("#gAddPhotosCanvas").scrollTo(fp.box, 1000);
     return true;
     // @todo add cancel button to call this.cancelUpload(file.id)
@@ -203,7 +202,7 @@
   function upload_progress(file, bytes_loaded, bytes_total) {
     var percent = Math.ceil((bytes_loaded / bytes_total) * 100);
     var fp = new File_Progress(file);
-    fp.set_status("uploading", "<?= t("Uploading...") ?>");
+    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
     fp.progress_bar.css("visibility", "visible");
     fp.progress_bar.progressbar("value", percent);
   }
@@ -211,42 +210,42 @@
   function upload_success(file, serverData) {
     var fp = new File_Progress(file);
     fp.progress_bar.progressbar("value", 100);
-    fp.set_status("complete", "<?= t("Complete.") ?>");
+    fp.set_status("complete", "<?= t("Complete.")->for_js() ?>");
   }
 
   function upload_error(file, error_code, message) {
     var fp = new File_Progress(file);
     switch (error_code) {
     case SWFUpload.UPLOAD_ERROR.HTTP_ERROR:
-      fp.set_status("error", "<?= t("Upload error: ") ?>" + message);
+      fp.set_status("error", "<?= t("Upload error: ")->for_js() ?>" + message);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_FAILED:
-      fp.set_status("error", "<?= t("Upload failed") ?>");
+      fp.set_status("error", "<?= t("Upload failed")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.IO_ERROR:
-      fp.set_status("error", "<?= t("Server error") ?>");
+      fp.set_status("error", "<?= t("Server error")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.SECURITY_ERROR:
-      fp.set_status("error", "<?= t("Security error") ?>");
+      fp.set_status("error", "<?= t("Security error")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_LIMIT_EXCEEDED:
-      fp.set_status("error", "<?= t("Upload limit exceeded") ?>");
+      fp.set_status("error", "<?= t("Upload limit exceeded")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_VALIDATION_FAILED:
-      fp.set_status("error", "<?= t("Failed validation.  File skipped") ?>");
+      fp.set_status("error", "<?= t("Failed validation.  File skipped")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_CANCELLED:
       // If there aren't any files left (they were all cancelled) disable the cancel button
       if (this.getStats().files_queued === 0) {
         $("#gUploadCancel").hide();
       }
-      fp.set_status("error", "<?= t("Cancelled") ?>");
+      fp.set_status("error", "<?= t("Cancelled")->for_js() ?>");
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_STOPPED:
-      fp.set_status("error", "<?= t("Stopped") ?>");
+      fp.set_status("error", "<?= t("Stopped")->for_js() ?>");
       break;
     default:
-      fp.set_status("error", "<?= t("Unknown error: ") ?>" + error_code);
+      fp.set_status("error", "<?= t("Unknown error: ")->for_js() ?>" + error_code);
       break;
     }
   }
@@ -260,7 +259,7 @@
   }
 
   function get_completed_status_msg(stats) {
-    var msg = "<?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__")) ?>";
+    var msg = "<?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__"))->for_js() ?>";
     msg = msg.replace("__COMPLETED__", stats.successful_uploads);
     msg = msg.replace("__TOTAL__", stats.files_queued + stats.successful_uploads +
       stats.upload_errors + stats.upload_cancelled + stats.queue_errors);
@@ -269,7 +268,7 @@
 
   // This event comes from the Queue Plugin
   function queue_complete(num_files_uploaded) {
-    var status_msg = "<?= t("Uploaded: __COUNT__") ?>";
+    var status_msg = "<?= t("Uploaded: __COUNT__")->for_js() ?>";
     $("#gUploadStatus").html(status_msg.replace("__COUNT__", num_files_uploaded));
   }
 </script>
diff --git a/modules/organize/views/organize.html.php b/modules/organize/views/organize.html.php
index 1182a887..d2f0aa8c 100644
--- a/modules/organize/views/organize.html.php
+++ b/modules/organize/views/organize.html.php
@@ -1,16 +1,16 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <!-- ?= html::script("modules/organize/js/organize.js") ? -->
 <script>
-  var FATAL_ERROR = "<?= t("Fatal Error") ?>";
-  var PAUSE_BUTTON = "<?= t("Pause") ?>";
-  var RESUME_BUTTON = "<?= t("Resume") ?>";
-  var CANCEL_BUTTON = "<?= t("Cancel") ?>";
-  var INVALID_DROP_TARGET = "<div class=\"gError\"><?= t("Drop cancelled as it would result in a recursive move") ?></div>";
-var CONFIRM_DELETE = "<?= t("Do you really want to delete the selected albums and/or photos") ?>"
+  var FATAL_ERROR = "<?= t("Fatal Error")->for_js() ?>";
+  var PAUSE_BUTTON = "<?= t("Pause")->for_js() ?>";
+  var RESUME_BUTTON = "<?= t("Resume"->for_js()) ?>";
+  var CANCEL_BUTTON = "<?= t("Cancel")->for_js() ?>";
+  var INVALID_DROP_TARGET = "<div class=\"gError\"><?= t("Drop cancelled as it would result in a recursive move")->for_js() ?></div>";
+var CONFIRM_DELETE = "<?= t("Do you really want to delete the selected albums and/or photos")->for_js() ?>"
   var item_id = <?= $item->id ?>;
 
-  var csrf = "<?= $csrf ?>";
-  var rearrangeUrl = "<?= url::site("__URI__/__ITEM_ID____TASK_ID__?csrf=$csrf") ?>";
+  var csrf = <?= json_encode($csrf) ?>;
+  var rearrangeUrl = "<?= url::site("__URI__/__ITEM_ID____TASK_ID__?csrf=$csrf")->for_js() ?>";
   $("#doc3").ready(function() {
     organize_dialog_init();
   });
diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php
index d27f9260..61821428 100644
--- a/themes/admin_default/views/admin.html.php
+++ b/themes/admin_default/views/admin.html.php
@@ -23,7 +23,7 @@
    <?= $theme->script("gallery.common.js") ?>
    <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
    <script type="text/javascript">
-   var MSG_CANCEL = "<?= t('Cancel') ?>";
+   var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
    </script>
    <?= $theme->script("gallery.dialog.js") ?>
    <?= $theme->script("superfish/js/superfish.js") ?>
diff --git a/themes/default/views/movie.html.php b/themes/default/views/movie.html.php
index 1f25a626..75d51eff 100644
--- a/themes/default/views/movie.html.php
+++ b/themes/default/views/movie.html.php
@@ -20,7 +20,7 @@
   </div>
 
   <script type="text/javascript">
-    var ADD_A_COMMENT = "<?= t("Add a comment") ?>";
+    var ADD_A_COMMENT = "<?= t("Add a comment")->for_js() ?>";
   </script>
   <?= $theme->photo_bottom() ?>
 </div>
diff --git a/themes/default/views/page.html.php b/themes/default/views/page.html.php
index ea2be37b..8d9f0caa 100644
--- a/themes/default/views/page.html.php
+++ b/themes/default/views/page.html.php
@@ -51,7 +51,7 @@
     <?= $theme->script("gallery.common.js") ?>
     <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
     <script type="text/javascript">
-    var MSG_CANCEL = "<?= t('Cancel') ?>";
+    var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
     </script>
     <?= $theme->script("gallery.dialog.js") ?>
     <?= $theme->script("gallery.form.js") ?>
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 1f92e9ba..fcf597cf 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -5,7 +5,7 @@
 <script>
   $(document).ready(function() {
     $(".gFullSizeLink").click(function() {
-      show_full_size("<?= $theme->item()->file_url() ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
+      show_full_size("<?= $theme->item()->file_url()->for_js() ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
       return false;
     });
   });
@@ -55,7 +55,7 @@
   </div>
 
   <script type="text/javascript">
-    var ADD_A_COMMENT = "<?= t("Add a comment") ?>";
+    var ADD_A_COMMENT = "<?= t("Add a comment")->for_js() ?>";
   </script>
   <?= $theme->photo_bottom() ?>
 </div>
-- 
cgit v1.2.3


From 00c73ec852c29c214d72193ce368bc12a7305794 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sun, 30 Aug 2009 15:34:46 -0700
Subject: Updating uses of html::js_string and SafeString::for_js (value now
 contains string delimiters)

---
 modules/gallery/views/admin_languages.html.php    | 86 +++++++++++------------
 modules/gallery/views/l10n_client.html.php        | 10 +--
 modules/gallery/views/permissions_browse.html.php | 17 ++---
 modules/gallery/views/simple_uploader.html.php    | 50 ++++++-------
 themes/admin_default/views/admin.html.php         |  2 +-
 themes/default/views/page.html.php                |  4 +-
 themes/default/views/photo.html.php               |  2 +-
 7 files changed, 85 insertions(+), 86 deletions(-)

(limited to 'themes/default/views/page.html.php')

diff --git a/modules/gallery/views/admin_languages.html.php b/modules/gallery/views/admin_languages.html.php
index ae2b3383..fa97d299 100644
--- a/modules/gallery/views/admin_languages.html.php
+++ b/modules/gallery/views/admin_languages.html.php
@@ -11,12 +11,11 @@
       <tr>
         <th> <?= t("Installed") ?> </th>
         <th> <?= t("Language") ?> </th>
-				<th> <?= t("Default language") ?> </th>
+        <th> <?= t("Default language") ?> </th>
       </tr>
       <? $i = 0 ?>
       <? foreach ($available_locales as $code => $display_name):  ?>
-			
-			<? if ($i == (count($available_locales)/2)): ?>
+      <? if ($i == (count($available_locales)/2)): ?>
       <table>
         <tr>
           <th> <?= t("Installed") ?> </th>
@@ -24,24 +23,24 @@
           <th> <?= t("Default language") ?> </th>
         </tr>
       <? endif ?>
-			
+
       <tr class="<?= (isset($installed_locales[$code])) ? "installed" : "" ?><?= ($default_locale == $code) ? " default" : "" ?>">
         <td> <?= form::checkbox("installed_locales[]", $code, isset($installed_locales[$code])) ?> </td>
-				<td> <?= $display_name ?> </td>
-				<td>
-					<?= form::radio("default_locale", $code, ($default_locale == $code), ((isset($installed_locales[$code]))?'':'disabled="disabled"') ) ?>
-				</td>
+        <td> <?= $display_name ?> </td>
+        <td>
+        <?= form::radio("default_locale", $code, ($default_locale == $code), ((isset($installed_locales[$code]))?'':'disabled="disabled"') ) ?>
+        </td>
       </tr>
       <? $i++ ?>
-			
+
       <? endforeach ?>
     </table>
-		<input type="submit" value="<?= t("Update languages")->for_html_attr() ?>" />
+    <input type="submit" value="<?= t("Update languages")->for_html_attr() ?>" />
   </form>
-	
-	<script type="text/javascript">
-    var old_default_locale = "<?= html::clean_js($default_locale) ?>";
-    
+
+  <script type="text/javascript">
+    var old_default_locale = <?= html::js_string($default_locale) ?>;
+
     $("input[name='installed_locales[]']").change(function (event) {
       if (this.checked) {
         $("input[type='radio'][value='" + this.value + "']").enable();
@@ -57,7 +56,7 @@
       dataType: "json",
       success: function(data) {
         if (data.result == "success") {
-          el = $('<a href="<?= html::clean_js(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
+          el = $('<a href="' + <?= html::js_string(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?> + '"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
           el.gallery_dialog();
           el.trigger('click');
         }
@@ -68,38 +67,37 @@
 
 <div id="gTranslations">
   <h1> <?= t("Translations") ?> </h1>
-	<p>
+  <p>
     <?= t("Create your own translations and share them with the rest of the Gallery community.") ?>
   </p>
-	
-	<h3><?= t("Translating Gallery") ?></h3>
-	
-	<div class="gBlock">
-		<a href="http://codex.gallery2.org/Gallery3:Localization" target="_blank"
-		  class="gDocLink ui-state-default ui-corner-all ui-icon ui-icon-help"
-			title="<?= t("Localization documentation")->for_html_attr() ?>">
+
+  <h3><?= t("Translating Gallery") ?></h3>
+
+  <div class="gBlock">
+    <a href="http://codex.gallery2.org/Gallery3:Localization" target="_blank"
+       class="gDocLink ui-state-default ui-corner-all ui-icon ui-icon-help"
+       title="<?= t("Localization documentation")->for_html_attr() ?>">
       <?= t("Localization documentation") ?>
     </a>
-		
-		<p><?= t("<strong>Step 1:</strong> Make sure the target language is installed and up to date (check above).") ?></p>
-		
-      <p><?= t("<strong>Step 2:</strong> Make sure you have selected the right  target language (currently %default_locale).",
-               array("default_locale" => locales::display_name())) ?></p>
-		
-		<p><?= t("<strong>Step 3:</strong> Start the translation mode and the translation interface will appear at the bottom of each Gallery page.") ?></p>
-		
-		<a href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>"
-		  class="gButtonLink ui-state-default ui-corner-all ui-icon-left">
-		  <span class="ui-icon ui-icon-power"></span>
-                  <? if (Session::instance()->get("l10n_mode", false)): ?>
-                  <?= t("Stop translation mode") ?>
-                  <? else: ?>
-                  <?= t("Start translation mode") ?>
-                  <? endif ?>
-	  </a>
-	</div>
-	
-	<h3>Sharing your translations</h3>
-	
+
+    <p><?= t("<strong>Step 1:</strong> Make sure the target language is installed and up to date (check above).") ?></p>
+
+    <p><?= t("<strong>Step 2:</strong> Make sure you have selected the right  target language (currently %default_locale).",
+             array("default_locale" => locales::display_name())) ?></p>
+
+    <p><?= t("<strong>Step 3:</strong> Start the translation mode and the translation interface will appear at the bottom of each Gallery page.") ?></p>
+
+    <a href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>"
+       class="gButtonLink ui-state-default ui-corner-all ui-icon-left">
+      <span class="ui-icon ui-icon-power"></span>
+      <? if (Session::instance()->get("l10n_mode", false)): ?>
+      <?= t("Stop translation mode") ?>
+      <? else: ?>
+      <?= t("Start translation mode") ?>
+      <? endif ?>
+   </a>
+</div>
+
+<h3>Sharing your translations</h3>
   <?= $share_translations_form ?>
 </div>
diff --git a/modules/gallery/views/l10n_client.html.php b/modules/gallery/views/l10n_client.html.php
index 520fd79e..aca1e654 100644
--- a/modules/gallery/views/l10n_client.html.php
+++ b/modules/gallery/views/l10n_client.html.php
@@ -2,9 +2,9 @@
 <div id="l10n-client" class="hidden">
   <div class="labels">
     <span id="l10n-client-toggler">
-    	<a id="gMinimizeL10n">_</a>
-			<a id="gCloseL10n" href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>">X</a>
-	  </span>
+      <a id="gMinimizeL10n">_</a>
+      <a id="gCloseL10n" href="<?= url::site("l10n_client/toggle_l10n_mode?csrf=".access::csrf_token()) ?>">X</a>
+    </span>
     <div class="label strings"><h2><?= t("Page Text") ?>
     <? if (!Input::instance()->get('show_all_l10n_messages')): ?>
       <a style="background-color:#fff" href="<?= url::site("admin/languages?show_all_l10n_messages=1") ?>"><?= t("(Show All)") ?></a>
@@ -72,8 +72,8 @@
     </div>
   </div>
   <script type="text/javascript">
-    var MSG_TRANSLATE_TEXT = "<?= t("Translate Text")->for_js() ?>";
-    var MSG_CLOSE_X = "<?= t("X")->for_js() ?>";
+    var MSG_TRANSLATE_TEXT = <?= t("Translate Text")->for_js() ?>;
+    var MSG_CLOSE_X = <?= t("X")->for_js() ?>;
     var l10n_client_data = <?= json_encode($string_list) ?>;
     var plural_forms = <?= json_encode($plural_forms) ?>;
   </script>
diff --git a/modules/gallery/views/permissions_browse.html.php b/modules/gallery/views/permissions_browse.html.php
index d9395b3f..231daa04 100644
--- a/modules/gallery/views/permissions_browse.html.php
+++ b/modules/gallery/views/permissions_browse.html.php
@@ -5,9 +5,9 @@
     $.ajax({
       url: form_url.replace("__ITEM__", id),
       success: function(data) {
-		    $("#gEditPermissionForm").html(data);
-		    $(".active").removeClass("active");
-		    $("#item-" + id).addClass("active");
+          $("#gEditPermissionForm").html(data);
+          $(".active").removeClass("active");
+          $("#item-" + id).addClass("active");
       }
     });
   }
@@ -28,13 +28,14 @@
   <? if (!$htaccess_works): ?>
   <ul id="gMessage">
     <li class="gError">
-      <?= t("Oh no!  Your server needs a configuration change in order for you to hide photos!  Ask your server administrator to enable <a %mod_rewrite_attrs>mod_rewrite</a> and set <a %apache_attrs><i>AllowOverride FileInfo Options</i></a> to fix this.", array("mod_rewrite_attrs" => "href=\"http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html\" target=\"_blank\"", "apache_attrs" => "href=\"http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride\" target=\"_blank\"")) ?>
+      <?= t("Oh no!  Your server needs a configuration change in order for you to hide photos!  Ask your server administrator to enable <a %mod_rewrite_attrs>mod_rewrite</a> and set <a %apache_attrs><i>AllowOverride FileInfo Options</i></a> to fix this.",
+            array("mod_rewrite_attrs" => html::mark_safe("href=\"http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html\" target=\"_blank\"", "apache_attrs" => "href=\"http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride\" target=\"_blank\""))) ?>
     </li>
   </ul>
   <? endif ?>
-  
+
   <p><?= t("Edit permissions for album:") ?></p>
-  
+
   <ul class="gBreadcrumbs">
     <? foreach ($parents as $parent): ?>
     <li id="item-<?= $parent->id ?>">
@@ -45,11 +46,11 @@
     <? endforeach ?>
     <li class="active" id="item-<?= $item->id ?>">
       <a href="javascript:show(<?= $item->id ?>)">
-    	<?= html::purify($item->title) ?>
+        <?= html::purify($item->title) ?>
       </a>
     </li>
   </ul>
-  
+
   <div id="gEditPermissionForm">
     <?= $form ?>
   </div>
diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php
index ccb166fc..9cf554ec 100644
--- a/modules/gallery/views/simple_uploader.html.php
+++ b/modules/gallery/views/simple_uploader.html.php
@@ -82,22 +82,22 @@
 
 <script type="text/javascript">
   var swfu = new SWFUpload({
-    flash_url: "<?= html::clean_js(url::file("lib/swfupload/swfupload.swf")) ?>",
-    upload_url: "<?= html::clean_js(url::site("simple_uploader/add_photo/$item->id")) ?>",
+    flash_url: <?= html::js_string(url::file("lib/swfupload/swfupload.swf")) ?>,
+    upload_url: <?= html::js_string(url::site("simple_uploader/add_photo/$item->id")) ?>,
     post_params: <?= json_encode(array(
       "g3sid" => Session::instance()->id(),
       "user_agent" => Input::instance()->server("HTTP_USER_AGENT"),
       "csrf" => $csrf)) ?>,
-    file_size_limit: "<?= html::clean_js(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB") ?>",
+    file_size_limit: <?= html::js_string(ini_get("upload_max_filesize") ? num::convert_to_bytes(ini_get("upload_max_filesize"))."B" : "100MB") ?>,
     file_types: "*.gif;*.jpg;*.jpeg;*.png;*.flv;*.mp4;*.GIF;*.JPG;*.JPEG;*.PNG;*.FLV;*.MP4",
-    file_types_description: "<?= t("Photos and Movies")->for_js() ?>",
+    file_types_description: <?= t("Photos and Movies")->for_js() ?>,
     file_upload_limit: 1000,
     file_queue_limit: 0,
     custom_settings: { },
     debug: false,
 
     // Button settings
-    button_image_url: "<?= html::clean_js(url::file("themes/default/images/select-photos-backg.png")) ?>",
+    button_image_url: <?= html::js_string(url::file("themes/default/images/select-photos-backg.png")) ?>,
     button_width: "202",
     button_height: "45",
     button_placeholder_id: "gChooseFilesButtonPlaceholder",
@@ -145,13 +145,13 @@
   function file_queued(file) {
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("pending", "<?= t("Pending...")->for_js() ?>");
+    fp.set_status("pending", <?= t("Pending...")->for_js() ?>);
     // @todo add cancel button to call this.cancelUpload(file.id)
   }
 
   function file_queue_error(file, error_code, message) {
     if (error_code === SWFUpload.QUEUE_ERROR.QUEUE_LIMIT_EXCEEDED) {
-      alert("<?= t("You have attempted to queue too many files.")->for_js() ?>");
+      alert(<?= t("You have attempted to queue too many files.")->for_js() ?>);
       return;
     }
 
@@ -159,20 +159,20 @@
     switch (error_code) {
     case SWFUpload.QUEUE_ERROR.FILE_EXCEEDS_SIZE_LIMIT:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize")))->for_js() ?>");
+      fp.set_status("error", <?= t("<strong>File is too big.</strong> A likely error source is a too low value for <em>upload_max_filesize</em> (%upload_max_filesize) in your <em>php.ini</em>.", array("upload_max_filesize" => ini_get("upload_max_filesize")))->for_js() ?>);
       break;
     case SWFUpload.QUEUE_ERROR.ZERO_BYTE_FILE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Cannot upload empty files.")->for_js() ?>");
+      fp.set_status("error", <?= t("Cannot upload empty files.")->for_js() ?>);
       break;
     case SWFUpload.QUEUE_ERROR.INVALID_FILETYPE:
       fp.title.html(file.name);
-      fp.set_status("error", "<?= t("Invalid file type.")->for_js() ?>");
+      fp.set_status("error", <?= t("Invalid file type.")->for_js() ?>);
       break;
     default:
       if (file !== null) {
         fp.title.html(file.name);
-        fp.set_status("error", "<?= t("Unknown error")->for_js() ?>");
+        fp.set_status("error", <?= t("Unknown error")->for_js() ?>);
       }
       break;
     }
@@ -193,7 +193,7 @@
     // no uploadProgress events are called (limitation in the Linux Flash VM).
     var fp = new File_Progress(file);
     fp.title.html(file.name);
-    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
+    fp.set_status("uploading", <?= t("Uploading...")->for_js() ?>);
     $("#gAddPhotosCanvas").scrollTo(fp.box, 1000);
     return true;
     // @todo add cancel button to call this.cancelUpload(file.id)
@@ -202,7 +202,7 @@
   function upload_progress(file, bytes_loaded, bytes_total) {
     var percent = Math.ceil((bytes_loaded / bytes_total) * 100);
     var fp = new File_Progress(file);
-    fp.set_status("uploading", "<?= t("Uploading...")->for_js() ?>");
+    fp.set_status("uploading", <?= t("Uploading...")->for_js() ?>);
     fp.progress_bar.css("visibility", "visible");
     fp.progress_bar.progressbar("value", percent);
   }
@@ -210,42 +210,42 @@
   function upload_success(file, serverData) {
     var fp = new File_Progress(file);
     fp.progress_bar.progressbar("value", 100);
-    fp.set_status("complete", "<?= t("Complete.")->for_js() ?>");
+    fp.set_status("complete", <?= t("Complete.")->for_js() ?>);
   }
 
   function upload_error(file, error_code, message) {
     var fp = new File_Progress(file);
     switch (error_code) {
     case SWFUpload.UPLOAD_ERROR.HTTP_ERROR:
-      fp.set_status("error", "<?= t("Upload error: bad image file")->for_js() ?>");
+      fp.set_status("error", <?= t("Upload error: bad image file")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_FAILED:
-      fp.set_status("error", "<?= t("Upload failed")->for_js() ?>");
+      fp.set_status("error", <?= t("Upload failed")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.IO_ERROR:
-      fp.set_status("error", "<?= t("Server error")->for_js() ?>");
+      fp.set_status("error", <?= t("Server error")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.SECURITY_ERROR:
-      fp.set_status("error", "<?= t("Security error")->for_js() ?>");
+      fp.set_status("error", <?= t("Security error")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_LIMIT_EXCEEDED:
-      fp.set_status("error", "<?= t("Upload limit exceeded")->for_js() ?>");
+      fp.set_status("error", <?= t("Upload limit exceeded")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_VALIDATION_FAILED:
-      fp.set_status("error", "<?= t("Failed validation.  File skipped")->for_js() ?>");
+      fp.set_status("error", <?= t("Failed validation.  File skipped")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.FILE_CANCELLED:
       // If there aren't any files left (they were all cancelled) disable the cancel button
       if (this.getStats().files_queued === 0) {
         $("#gUploadCancel").hide();
       }
-      fp.set_status("error", "<?= t("Cancelled")->for_js() ?>");
+      fp.set_status("error", <?= t("Cancelled")->for_js() ?>);
       break;
     case SWFUpload.UPLOAD_ERROR.UPLOAD_STOPPED:
-      fp.set_status("error", "<?= t("Stopped")->for_js() ?>");
+      fp.set_status("error", <?= t("Stopped")->for_js() ?>);
       break;
     default:
-      fp.set_status("error", "<?= t("Unknown error: ")->for_js() ?>" + error_code);
+      fp.set_status("error", <?= t("Unknown error: ")->for_js() ?> + error_code);
       break;
     }
   }
@@ -259,7 +259,7 @@
   }
 
   function get_completed_status_msg(stats) {
-    var msg = "<?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__"))->for_js() ?>";
+    var msg = <?= t("Upload Queue (completed %completed of %total)", array("completed" => "__COMPLETED__", "total" => "__TOTAL__"))->for_js() ?>;
     msg = msg.replace("__COMPLETED__", stats.successful_uploads);
     msg = msg.replace("__TOTAL__", stats.files_queued + stats.successful_uploads +
       stats.upload_errors + stats.upload_cancelled + stats.queue_errors);
@@ -268,7 +268,7 @@
 
   // This event comes from the Queue Plugin
   function queue_complete(num_files_uploaded) {
-    var status_msg = "<?= t("Uploaded: __COUNT__")->for_js() ?>";
+    var status_msg = <?= t("Uploaded: __COUNT__")->for_js() ?>;
     $("#gUploadStatus").html(status_msg.replace("__COUNT__", num_files_uploaded));
   }
 </script>
diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php
index 2ed8c38e..3b1ff92c 100644
--- a/themes/admin_default/views/admin.html.php
+++ b/themes/admin_default/views/admin.html.php
@@ -23,7 +23,7 @@
    <?= $theme->script("gallery.common.js") ?>
    <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
    <script type="text/javascript">
-   var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
+   var MSG_CANCEL = <?= t('Cancel')->for_js() ?>;
    </script>
    <?= $theme->script("gallery.ajax.js") ?>
    <?= $theme->script("gallery.dialog.js") ?>
diff --git a/themes/default/views/page.html.php b/themes/default/views/page.html.php
index 844ef295..2696442b 100644
--- a/themes/default/views/page.html.php
+++ b/themes/default/views/page.html.php
@@ -12,7 +12,7 @@
           <? if ($theme->item()->is_album()): ?>
           <?= t("Browse Album :: %album_title", array("album_title" => $theme->item()->title)) ?>
           <? elseif ($theme->item()->is_photo()): ?>
-	  <?= t("Photo :: %photo_title", array("photo_title" => $theme->item()->title)) ?>
+          <?= t("Photo :: %photo_title", array("photo_title" => $theme->item()->title)) ?>
           <? else: ?>
           <?= t("Movie :: %movie_title", array("movie_title" => $theme->item()->title)) ?>
           <? endif ?>
@@ -51,7 +51,7 @@
     <?= $theme->script("gallery.common.js") ?>
     <? /* MSG_CANCEL is required by gallery.dialog.js */ ?>
     <script type="text/javascript">
-    var MSG_CANCEL = "<?= t('Cancel')->for_js() ?>";
+    var MSG_CANCEL = <?= t('Cancel')->for_js() ?>;
     </script>
     <?= $theme->script("gallery.ajax.js") ?>
     <?= $theme->script("gallery.dialog.js") ?>
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 00e157ce..5289b467 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -5,7 +5,7 @@
 <script>
   $(document).ready(function() {
     $(".gFullSizeLink").click(function() {
-      $.gallery_show_full_size("<?= html::clean_js($theme->item()->file_url()) ?>", "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
+      $.gallery_show_full_size(<?= html::js_string($theme->item()->file_url()) ?>, "<?= $theme->item()->width ?>", "<?= $theme->item()->height ?>");
       return false;
     });
   });
-- 
cgit v1.2.3