Add missing html escaping.

This should have been here the whole time. Many of these variables could
contain user input.

lib/Cake/View/Errors/missing_action.ctp

@@ -17,20 +17,20 @@
  * @license       MIT License (http://www.opensource.org/licenses/mit-license.php)
  */
 ?>
-<h2><?php echo __d('cake_dev', 'Missing Method in %s', $controller); ?></h2> <p class="error">
+<h2><?php echo __d('cake_dev', 'Missing Method in %s', h($controller)); ?></h2> <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'The action %1$s is not defined in controller %2$s', '<em>' . $action . '</em>', '<em>' . $controller . '</em>'); ?>
+	<?php echo __d('cake_dev', 'The action %1$s is not defined in controller %2$s', '<em>' . h($action) . '</em>', '<em>' . h($controller) . '</em>'); ?>
 </p>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'Create %1$s%2$s in file: %3$s.', '<em>' . $controller . '::</em>', '<em>' . $action . '()</em>', APP_DIR . DS . 'Controller' . DS . $controller . '.php'); ?>
+	<?php echo __d('cake_dev', 'Create %1$s%2$s in file: %3$s.', '<em>' . h($controller) . '::</em>', '<em>' . h($action) . '()</em>', APP_DIR . DS . 'Controller' . DS . h($controller) . '.php'); ?>
 </p>
 <pre>
 &lt;?php
-class <?php echo $controller; ?> extends AppController {
+class <?php echo h($controller); ?> extends AppController {
 
 <strong>
-	public function <?php echo $action; ?>() {
+	public function <?php echo h($action); ?>() {
 
 	}
 </strong>

lib/Cake/View/Errors/missing_behavior.ctp

@@ -21,15 +21,15 @@ $pluginDot = empty($plugin) ? null : $plugin . '.';
 <h2><?php echo __d('cake_dev', 'Missing Behavior'); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', '%s could not be found.', '<em>' . $pluginDot . $class . '</em>'); ?>
+	<?php echo __d('cake_dev', '%s could not be found.', '<em>' . h($pluginDot . $class) . '</em>'); ?>
 </p>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'Create the class %s below in file: %s', '<em>' . $class . '</em>', (empty($plugin) ? APP_DIR . DS : CakePlugin::path($plugin)) . 'Model' . DS . 'Behavior' . DS . $class . '.php'); ?>
+	<?php echo __d('cake_dev', 'Create the class %s below in file: %s', '<em>' . h($class) . '</em>', (empty($plugin) ? APP_DIR . DS : CakePlugin::path($plugin)) . 'Model' . DS . 'Behavior' . DS . h($class) . '.php'); ?>
 </p>
 <pre>
 &lt;?php
-class <?php echo $class; ?> extends ModelBehavior {
+class <?php echo h($class); ?> extends ModelBehavior {
 
 }
 </pre>

lib/Cake/View/Errors/missing_component.ctp

@@ -21,15 +21,15 @@ $pluginDot = empty($plugin) ? null : $plugin . '.';
 <h2><?php echo __d('cake_dev', 'Missing Component'); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', '%s could not be found.', '<em>' . $pluginDot . $class . '</em>'); ?>
+	<?php echo __d('cake_dev', '%s could not be found.', '<em>' . h($pluginDot . $class) . '</em>'); ?>
 </p>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'Create the class %s below in file: %s', '<em>' . $class . '</em>', (empty($plugin) ? APP_DIR : CakePlugin::path($plugin)) . DS . 'Controller' . DS . 'Component' . DS . $class . '.php'); ?>
+	<?php echo __d('cake_dev', 'Create the class %s below in file: %s', '<em>' . h($class) . '</em>', (empty($plugin) ? APP_DIR : CakePlugin::path($plugin)) . DS . 'Controller' . DS . 'Component' . DS . h($class) . '.php'); ?>
 </p>
 <pre>
 &lt;?php
-class <?php echo $class; ?> extends Component {
+class <?php echo h($class); ?> extends Component {
 
 }
 </pre>

lib/Cake/View/Errors/missing_connection.ctp

@@ -20,18 +20,18 @@
 <h2><?php echo __d('cake_dev', 'Missing Database Connection'); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'A Database connection using "%s" was missing or unable to connect. ', $class); ?>
+	<?php echo __d('cake_dev', 'A Database connection using "%s" was missing or unable to connect. ', h($class)); ?>
 	<br />
 	<?php
 	if (isset($message)):
-		echo __d('cake_dev', 'The database server returned this error: %s', $message);
+		echo __d('cake_dev', 'The database server returned this error: %s', h($message));
 	endif;
 	?>
 </p>
 <?php if (!$enabled) : ?>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', '%s driver is NOT enabled', $class); ?>
+	<?php echo __d('cake_dev', '%s driver is NOT enabled', h($class)); ?>
 </p>
 <?php endif; ?>
 <p class="notice">

lib/Cake/View/Errors/missing_controller.ctp

@@ -21,15 +21,15 @@ $pluginDot = empty($plugin) ? null : $plugin . '.';
 <h2><?php echo __d('cake_dev', 'Missing Controller'); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', '%s could not be found.', '<em>' . $pluginDot . $class . '</em>'); ?>
+	<?php echo __d('cake_dev', '%s could not be found.', '<em>' . h($pluginDot . $class) . '</em>'); ?>
 </p>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'Create the class %s below in file: %s', '<em>' . $class . '</em>', (empty($plugin) ? APP_DIR . DS : CakePlugin::path($plugin)) . 'Controller' . DS . $class . '.php'); ?>
+	<?php echo __d('cake_dev', 'Create the class %s below in file: %s', '<em>' . h($class) . '</em>', (empty($plugin) ? APP_DIR . DS : CakePlugin::path($plugin)) . 'Controller' . DS . h($class) . '.php'); ?>
 </p>
 <pre>
 &lt;?php
-class <?php echo $class . ' extends ' . $plugin; ?>AppController {
+class <?php echo h($class . ' extends ' . $plugin); ?>AppController {
 
 }
 </pre>

lib/Cake/View/Errors/missing_datasource.ctp

@@ -21,7 +21,7 @@ $pluginDot = empty($plugin) ? null : $plugin . '.';
 <h2><?php echo __d('cake_dev', 'Missing Datasource'); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'Datasource class %s could not be found.', '<em>' . $pluginDot . $class . '</em>'); ?>
+	<?php echo __d('cake_dev', 'Datasource class %s could not be found.', '<em>' . h($pluginDot . $class) . '</em>'); ?>
 	<?php if (isset($message)):  ?>
 		<?php echo h($message); ?>
 	<?php endif; ?>

lib/Cake/View/Errors/missing_datasource_config.ctp

@@ -20,7 +20,7 @@
 <h2><?php echo __d('cake_dev', 'Missing Datasource Configuration'); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'The datasource configuration %1$s was not found in database.php.', '<em>' . $config . '</em>'); ?>
+	<?php echo __d('cake_dev', 'The datasource configuration %1$s was not found in database.php.', '<em>' . h($config) . '</em>'); ?>
 </p>
 <p class="notice">
 	<strong><?php echo __d('cake_dev', 'Notice'); ?>: </strong>

lib/Cake/View/Errors/missing_helper.ctp

@@ -21,15 +21,15 @@ $pluginDot = empty($plugin) ? null : $plugin . '.';
 <h2><?php echo __d('cake_dev', 'Missing Helper'); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', '%s could not be found.', '<em>' . $pluginDot . $class . '</em>'); ?>
+	<?php echo __d('cake_dev', '%s could not be found.', '<em>' . h($pluginDot . $class) . '</em>'); ?>
 </p>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'Create the class %s below in file: %s', '<em>' . $class . '</em>', (empty($plugin) ? APP_DIR . DS : CakePlugin::path($plugin)) . 'View' . DS . 'Helper' . DS . $class . '.php'); ?>
+	<?php echo __d('cake_dev', 'Create the class %s below in file: %s', '<em>' . h($class) . '</em>', (empty($plugin) ? APP_DIR . DS : CakePlugin::path($plugin)) . 'View' . DS . 'Helper' . DS . h($class) . '.php'); ?>
 </p>
 <pre>
 &lt;?php
-class <?php echo $class; ?> extends AppHelper {
+class <?php echo h($class); ?> extends AppHelper {
 
 }
 </pre>

lib/Cake/View/Errors/missing_layout.ctp

@@ -20,11 +20,11 @@
 <h2><?php echo __d('cake_dev', 'Missing Layout'); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'The layout file %s can not be found or does not exist.', '<em>' . $file . '</em>'); ?>
+	<?php echo __d('cake_dev', 'The layout file %s can not be found or does not exist.', '<em>' . h($file) . '</em>'); ?>
 </p>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'Confirm you have created the file: %s', '<em>' . $file . '</em>'); ?>
+	<?php echo __d('cake_dev', 'Confirm you have created the file: %s', '<em>' . h($file) . '</em>'); ?>
 </p>
 <p class="notice">
 	<strong><?php echo __d('cake_dev', 'Notice'); ?>: </strong>

lib/Cake/View/Errors/missing_plugin.ctp

@@ -20,15 +20,15 @@
 <h2><?php echo __d('cake_dev', 'Missing Plugin'); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'The application is trying to load a file from the %s plugin', '<em>' . $plugin . '</em>'); ?>
+	<?php echo __d('cake_dev', 'The application is trying to load a file from the %s plugin', '<em>' . h($plugin) . '</em>'); ?>
 </p>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
 	<?php echo __d('cake_dev', 'Make sure your plugin %s is in the ' . APP_DIR . DS . 'Plugin directory and was loaded', $plugin); ?>
 </p>
 <pre>
 &lt;?php
-CakePlugin::load('<?php echo $plugin?>');
+CakePlugin::load('<?php echo h($plugin); ?>');
 
 </pre>
 <p class="notice">

lib/Cake/View/Errors/missing_table.ctp

@@ -20,7 +20,7 @@
 <h2><?php echo __d('cake_dev', 'Missing Database Table'); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'Table %1$s for model %2$s was not found in datasource %3$s.', '<em>' . $table . '</em>',  '<em>' . $class . '</em>', '<em>' . $ds . '</em>'); ?>
+	<?php echo __d('cake_dev', 'Table %1$s for model %2$s was not found in datasource %3$s.', '<em>' . h($table) . '</em>',  '<em>' . h($class) . '</em>', '<em>' . h($ds) . '</em>'); ?>
 </p>
 <p class="notice">
 	<strong><?php echo __d('cake_dev', 'Notice'); ?>: </strong>

lib/Cake/View/Errors/missing_view.ctp

@@ -20,11 +20,11 @@
 <h2><?php echo __d('cake_dev', 'Missing View'); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'The view for %1$s%2$s was not found.', '<em>' . Inflector::camelize($this->request->controller) . 'Controller::</em>', '<em>' . $this->request->action . '()</em>'); ?>
+	<?php echo __d('cake_dev', 'The view for %1$s%2$s was not found.', '<em>' . h(Inflector::camelize($this->request->controller)) . 'Controller::</em>', '<em>' . h($this->request->action) . '()</em>'); ?>
 </p>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', 'Confirm you have created the file: %s', $file); ?>
+	<?php echo __d('cake_dev', 'Confirm you have created the file: %s', h($file)); ?>
 </p>
 <p class="notice">
 	<strong><?php echo __d('cake_dev', 'Notice'); ?>: </strong>

lib/Cake/View/Errors/private_action.ctp

@@ -20,7 +20,7 @@
 <h2><?php echo __d('cake_dev', 'Private Method in %s', $controller); ?></h2>
 <p class="error">
 	<strong><?php echo __d('cake_dev', 'Error'); ?>: </strong>
-	<?php echo __d('cake_dev', '%s%s cannot be accessed directly.', '<em>' . $controller . '::</em>', '<em>' . $action . '()</em>'); ?>
+	<?php echo __d('cake_dev', '%s%s cannot be accessed directly.', '<em>' . h($controller) . '::</em>', '<em>' . h($action) . '()</em>'); ?>
 </p>
 <p class="notice">
 	<strong><?php echo __d('cake_dev', 'Notice'); ?>: </strong>