Skip to content

Commit

Permalink
Update all code to use helper method html::clean(), html::purify(), .…
Browse files Browse the repository at this point in the history 
….. instead of SafeString directly.
  • Loading branch information
@andyst
andyst committed Aug 30, 2009
1 parent 952c885 commit b9bd168
Show file tree
Hide file tree
Showing 52 changed files with 143 additions and 143 deletions.
8 changes: 4 additions & 4 deletions modules/comment/controllers/comments.php
View file
Expand Up @@ -39,9 +39,9 @@ public function _index() {
foreach ($comments as $comment) {
$data[] = array(
"id" => $comment->id,
"author_name" => SafeString::of($comment->author_name()),
"author_name" => html::clean($comment->author_name()),
"created" => $comment->created,
"text" => nl2br(SafeString::purify($comment->text)));
"text" => nl2br(html::purify($comment->text)));
}
print json_encode($data);
break;
Expand Down Expand Up @@ -126,9 +126,9 @@ public function _show($comment) {
array("result" => "success",
"data" => array(
"id" => $comment->id,
"author_name" => SafeString::of($comment->author_name()),
"author_name" => html::clean($comment->author_name()),
"created" => $comment->created,
"text" => nl2br(SafeString::purify($comment->text)))));
"text" => nl2br(html::purify($comment->text)))));
} else {
$view = new Theme_View("comment.html", "fragment");
$view->comment = $comment;
Expand Down
8 changes: 4 additions & 4 deletions modules/comment/helpers/comment_rss.php
View file
Expand Up @@ -23,7 +23,7 @@ static function available_feeds($item, $tag) {
$feeds["comment/newest"] = t("All new comments");
if ($item) {
$feeds["comment/item/$item->id"] =
t("Comments on %title", array("title" => SafeString::purify($item->title)));
t("Comments on %title", array("title" => html::purify($item->title)));
}
return $feeds;
}
Expand All @@ -49,13 +49,13 @@ static function feed($feed_id, $offset, $limit, $id) {
$item = $comment->item();
$feed->children[] = new ArrayObject(
array("pub_date" => date("D, d M Y H:i:s T", $comment->created),
"text" => nl2br(SafeString::purify($comment->text)),
"text" => nl2br(html::purify($comment->text)),
"thumb_url" => $item->thumb_url(),
"thumb_height" => $item->thumb_height,
"thumb_width" => $item->thumb_width,
"item_uri" => url::abs_site("{$item->type}s/$item->id"),
"title" => SafeString::purify($item->title),
"author" => SafeString::of($comment->author_name())),
"title" => html::purify($item->title),
"author" => html::clean($comment->author_name())),
ArrayObject::ARRAY_AS_PROPS);
}

Expand Down
6 changes: 3 additions & 3 deletions modules/comment/views/admin_block_recent_comments.html.php
View file
Expand Up @@ -4,13 +4,13 @@
<li class="<?= ($i % 2 == 0) ? "gEvenRow" : "gOddRow" ?>">
<img src="<?= $comment->author()->avatar_url(32, $theme->url("images/avatar.jpg", true)) ?>"
class="gAvatar"
alt="<?= SafeString::of($comment->author_name()) ?>"
alt="<?= html::clean($comment->author_name()) ?>"
width="32"
height="32" />
<?= gallery::date_time($comment->created) ?>
<?= t('<a href="#">%author_name</a> said <em>%comment_text</em>',
array("author_name" => SafeString::of($comment->author_name()),
"comment_text" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50))); ?>
array("author_name" => html::clean($comment->author_name()),
"comment_text" => text::limit_words(nl2br(html::purify($comment->text)), 50))); ?>
</li>
<? endforeach ?>
</ul>
10 changes: 5 additions & 5 deletions modules/comment/views/admin_comments.html.php
View file
Expand Up @@ -108,12 +108,12 @@ function(data) {
<a href="#">
<img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
class="gAvatar"
alt="<?= SafeString::of($comment->author_name()) ?>"
alt="<?= html::clean($comment->author_name()) ?>"
width="40"
height="40" />
</a>
<p><a href="mailto:<?= SafeString::of($comment->author_email()) ?>"
title="<?= SafeString::of($comment->author_email()) ?>"> <?= SafeString::of($comment->author_name()) ?> </a></p>
<p><a href="mailto:<?= html::clean($comment->author_email()) ?>"
title="<?= html::clean($comment->author_email()) ?>"> <?= html::clean($comment->author_name()) ?> </a></p>
</td>
<td>
<div class="right">
Expand All @@ -122,7 +122,7 @@ class="gAvatar"
<a href="<?= $item->url() ?>">
<? if ($item->has_thumb()): ?>
<img src="<?= $item->thumb_url() ?>"
alt="<?= SafeString::purify($item->title) ?>"
alt="<?= html::purify($item->title) ?>"
<?= photo::img_dimensions($item->thumb_width, $item->thumb_height, 75) ?>
/>
<? else: ?>
Expand All @@ -132,7 +132,7 @@ class="gAvatar"
</div>
</div>
<p><?= gallery::date($comment->created) ?></p>
<?= nl2br(SafeString::purify($comment->text)) ?>
<?= nl2br(html::purify($comment->text)) ?>
</td>
<td>
<ul class="gButtonSetVertical">
Expand Down
6 changes: 3 additions & 3 deletions modules/comment/views/comment.html.php
View file
Expand Up @@ -4,15 +4,15 @@
<a href="#">
<img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
class="gAvatar"
alt="<?= SafeString::of($comment->author_name()) ?>"
alt="<?= html::clean($comment->author_name()) ?>"
width="40"
height="40" />
</a>
<?= t("on %date_time, %author_name said",
array("date_time" => gallery::date_time($comment->created),
"author_name" => SafeString::of($comment->author_name()))) ?>
"author_name" => html::clean($comment->author_name()))) ?>
</p>
<div>
<?= nl2br(SafeString::purify($comment->text)) ?>
<?= nl2br(html::purify($comment->text)) ?>
</div>
</li>
12 changes: 6 additions & 6 deletions modules/comment/views/comment.mrss.php
View file
Expand Up @@ -6,9 +6,9 @@
xmlns:fh="http://purl.org/syndication/history/1.0">
<channel>
<generator>Gallery 3</generator>
<title><?= SafeString::of($feed->title) ?></title>
<title><?= html::clean($feed->title) ?></title>
<link><?= $feed->uri ?></link>
<description><?= SafeString::of($feed->description) ?></description>
<description><?= html::clean($feed->description) ?></description>
<language>en-us</language>
<atom:link rel="self" href="<?= $feed->uri ?>" type="application/rss+xml" />
<fh:complete/>
Expand All @@ -22,14 +22,14 @@
<lastBuildDate><?= $pub_date ?></lastBuildDate>
<? foreach ($feed->children as $child): ?>
<item>
<title><?= SafeString::purify($child->title) ?></title>
<link><?= SafeString::of($child->item_uri) ?></link>
<author><?= SafeString::of($child->author) ?></author>
<title><?= html::purify($child->title) ?></title>
<link><?= html::clean($child->item_uri) ?></link>
<author><?= html::clean($child->author) ?></author>
<guid isPermaLink="true"><?= $child->item_uri ?></guid>
<pubDate><?= $child->pub_date ?></pubDate>
<content:encoded>
<![CDATA[
<p><?= nl2br(SafeString::purify($child->text)) ?></p>
<p><?= nl2br(html::purify($child->text)) ?></p>
<p>
<img alt="" src="<?= $child->thumb_url ?>"
height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" />
Expand Down
6 changes: 3 additions & 3 deletions modules/comment/views/comments.html.php
View file
Expand Up @@ -18,16 +18,16 @@ class="gButtonLink ui-corner-all ui-icon-left ui-state-default right">
<a href="#">
<img src="<?= $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) ?>"
class="gAvatar"
alt="<?= SafeString::of($comment->author_name()) ?>"
alt="<?= html::clean($comment->author_name()) ?>"
width="40"
height="40" />
</a>
<?= t('on %date <a href="#">%name</a> said',
array("date" => date("Y-M-d H:i:s", $comment->created),
"name" => SafeString::of($comment->author_name()))); ?>
"name" => html::clean($comment->author_name()))); ?>
</p>
<div>
<?= nl2br(SafeString::purify($comment->text)) ?>
<?= nl2br(html::purify($comment->text)) ?>
</div>
</li>
<? endforeach ?>
Expand Down
2 changes: 1 addition & 1 deletion modules/digibug/controllers/digibug.php
View file
Expand Up @@ -50,7 +50,7 @@ public function print_photo($id) {
"image_width_1" => $item->width,
"thumb_height_1" => $item->thumb_height,
"thumb_width_1" => $item->thumb_width,
"title_1" => SafeString::purify($item->title));
"title_1" => html::purify($item->title));

print $v;
}
Expand Down
4 changes: 2 additions & 2 deletions modules/exif/views/exif_dialog.html.php
View file
Expand Up @@ -14,14 +14,14 @@
<?= $details[$i]["caption"] ?>
</td>
<td class="gOdd">
<?= SafeString::of($details[$i]["value"]) ?>
<?= html::clean($details[$i]["value"]) ?>
</td>
<? if (!empty($details[++$i])): ?>
<td class="gEven">
<?= $details[$i]["caption"] ?>
</td>
<td class="gOdd">
<?= SafeString::of($details[$i]["value"]) ?>
<?= html::clean($details[$i]["value"]) ?>
</td>
<? else: ?>
<td class="gEven"></td><td class="gOdd"></td>
Expand Down
2 changes: 1 addition & 1 deletion modules/g2_import/helpers/g2_import.php
View file
Expand Up @@ -590,7 +590,7 @@ static function import_comment(&$queue) {
self::map($g2_comment->getId(), $comment->id);
return t("Imported comment '%comment' for item with id: %id",
array("id" => $comment->item_id,
"comment" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50)));
"comment" => text::limit_words(nl2br(html::purify($comment->text)), 50)));
}

/**
Expand Down
2 changes: 1 addition & 1 deletion modules/gallery/controllers/admin_advanced_settings.php
View file
Expand Up @@ -46,7 +46,7 @@ public function save($module_name, $var_name) {
module::set_var($module_name, $var_name, Input::instance()->post("value"));
message::success(
t("Saved value for %var (%module_name)",
array("var" => SafeString::of($var_name), "module_name" => $module_name)));
array("var" => html::clean($var_name), "module_name" => $module_name)));

print json_encode(array("result" => "success"));
}
Expand Down
10 changes: 5 additions & 5 deletions modules/gallery/controllers/quick.php
View file
Expand Up @@ -75,7 +75,7 @@ public function make_album_cover($id) {
access::required("view", $item->parent());
access::required("edit", $item->parent());

$msg = t("Made <b>%title</b> this album's cover", array("title" => SafeString::purify($item->title)));
$msg = t("Made <b>%title</b> this album's cover", array("title" => html::purify($item->title)));

item::make_album_cover($item);
message::success($msg);
Expand All @@ -91,10 +91,10 @@ public function form_delete($id) {
if ($item->is_album()) {
print t(
"Delete the album <b>%title</b>? All photos and movies in the album will also be deleted.",
array("title" => SafeString::purify($item->title)));
array("title" => html::purify($item->title)));
} else {
print t("Are you sure you want to delete <b>%title</b>?",
array("title" => SafeString::purify($item->title)));
array("title" => html::purify($item->title)));
}

$form = item::get_delete_form($item);
Expand All @@ -108,9 +108,9 @@ public function delete($id) {
access::required("edit", $item);

if ($item->is_album()) {
$msg = t("Deleted album <b>%title</b>", array("title" => SafeString::purify($item->title)));
$msg = t("Deleted album <b>%title</b>", array("title" => html::purify($item->title)));
} else {
$msg = t("Deleted photo <b>%title</b>", array("title" => SafeString::purify($item->title)));
$msg = t("Deleted photo <b>%title</b>", array("title" => html::purify($item->title)));
}

$parent = $item->parent();
Expand Down
4 changes: 2 additions & 2 deletions modules/gallery/helpers/MY_html.php
View file
Expand Up @@ -65,11 +65,11 @@ static function mark_safe($html) {
*
* Example:<pre>
* <script type="text/javascript>"
* var some_js_var = "<?= html::escape_for_js($php_var) ?>";
* var some_js_var = "<?= html::clean_js($php_var) ?>";
* </script>
* </pre>
*/
static function escape_for_js($string) {
static function clean_js($string) {
return SafeString::of($string)->for_js();
}

Expand Down
4 changes: 2 additions & 2 deletions modules/gallery/helpers/gallery_rss.php
View file
Expand Up @@ -53,9 +53,9 @@ static function feed($feed_id, $offset, $limit, $id) {
->descendants($limit, $offset, array("type" => "photo"));
$feed->max_pages = ceil(
$item->viewable()->descendants_count(array("type" => "photo")) / $limit);
$feed->title = SafeString::purify($item->title);
$feed->title = html::purify($item->title);
$feed->link = url::abs_site("albums/{$item->id}");
$feed->description = nl2br(SafeString::purify($item->description));
$feed->description = nl2br(html::purify($item->description));

return $feed;
}
Expand Down
4 changes: 2 additions & 2 deletions modules/gallery/helpers/gallery_task.php
View file
Expand Up @@ -64,10 +64,10 @@ static function rebuild_dirty_images($task) {
if (!$success) {
$ignored[$item->id] = 1;
$errors[] = t("Unable to rebuild images for '%title'",
array("title" => SafeString::purify($item->title)));
array("title" => html::purify($item->title)));
} else {
$errors[] = t("Successfully rebuilt images for '%title'",
array("title" => SafeString::purify($item->title)));
array("title" => html::purify($item->title)));
}
}

Expand Down
4 changes: 2 additions & 2 deletions modules/gallery/tests/Html_Helper_Test.php
View file
Expand Up @@ -40,8 +40,8 @@ public function mark_safe_test() {
$safe_string_2);
}

public function escape_for_js_test() {
$string = html::escape_for_js("hello's <p >world</p>");
public function clean_js_test() {
$string = html::clean_js("hello's <p >world</p>");
$this->assert_equal("hello\\'s <p >world<\\/p>",
$string);
}
Expand Down
4 changes: 2 additions & 2 deletions modules/gallery/tests/Xss_Security_Test.php
View file
Expand Up @@ -151,7 +151,7 @@ public function find_unescaped_variables_in_views_test() {
if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
in_array($tokens[$token_number + 2][1],
array("clean", "purify", "escape_for_js", "clean_attribute_test")) &&
array("clean", "purify", "clean_js", "clean_attribute")) &&
self::_token_matches("(", $tokens, $token_number + 3)) {
// Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed).

Expand All @@ -161,7 +161,7 @@ public function find_unescaped_variables_in_views_test() {
$token_number += 3;
$token = $tokens[$token_number];

if ("escape_for_js" == $method) {
if ("clean_js" == $method) {
$frame->is_safe_js(true);
} else {
$frame->is_safe_html(true);
Expand Down
6 changes: 3 additions & 3 deletions modules/gallery/views/admin_advanced_settings.html.php
View file
Expand Up @@ -20,13 +20,13 @@
<? if ($var->module_name == "gallery" && $var->name == "_cache") continue ?>
<tr class="setting">
<td> <?= $var->module_name ?> </td>
<td> <?= SafeString::of($var->name) ?> </td>
<td> <?= html::clean($var->name) ?> </td>
<td>
<a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . SafeString::of($var->name)) ?>"
<a href="<?= url::site("admin/advanced_settings/edit/$var->module_name/" . html::clean($var->name)) ?>"
class="gDialogLink"
title="<?= t("Edit %var (%module_name)", array("var" => $var->name, "module_name" => $var->module_name)) ?>">
<? if ($var->value): ?>
<?= SafeString::of($var->value) ?>
<?= html::clean($var->value) ?>
<? else: ?>
<i> <?= t("empty") ?> </i>
<? endif ?>
Expand Down
2 changes: 1 addition & 1 deletion modules/gallery/views/admin_block_log_entries.html.php
View file
Expand Up @@ -2,7 +2,7 @@
<ul>
<? foreach ($entries as $entry): ?>
<li class="<?= log::severity_class($entry->severity) ?>" style="direction: ltr">
<a href="<?= url::site("user/$entry->user_id") ?>"><?= SafeString::of($entry->user->name) ?></a>
<a href="<?= url::site("user/$entry->user_id") ?>"><?= html::clean($entry->user->name) ?></a>
<?= gallery::date_time($entry->timestamp) ?>
<?= $entry->message ?>
<?= $entry->html ?>
Expand Down
4 changes: 2 additions & 2 deletions modules/gallery/views/admin_block_photo_stream.html.php
View file
Expand Up @@ -2,9 +2,9 @@
<ul>
<? foreach ($photos as $photo): ?>
<li class="gItem gPhoto">
<a href="<?= url::site("photos/$photo->id") ?>" title="<?= SafeString::of($photo->title) ?>">
<a href="<?= url::site("photos/$photo->id") ?>" title="<?= html::clean($photo->title) ?>">
<img <?= photo::img_dimensions($photo->width, $photo->height, 72) ?>
src="<?= $photo->thumb_url() ?>" alt="<?= SafeString::of($photo->title) ?>" />
src="<?= $photo->thumb_url() ?>" alt="<?= html::clean($photo->title) ?>" />
</a>
</li>
<? endforeach ?>
Expand Down
4 changes: 2 additions & 2 deletions modules/gallery/views/admin_languages.html.php
View file
Expand Up @@ -40,7 +40,7 @@
</form>

<script type="text/javascript">
var old_default_locale = "<?= SafeString::of($default_locale)->for_js() ?>";
var old_default_locale = "<?= html::escape_for_js($default_locale) ?>";

$("input[name='installed_locales[]']").change(function (event) {
if (this.checked) {
Expand All @@ -57,7 +57,7 @@
dataType: "json",
success: function(data) {
if (data.result == "success") {
el = $('<a href="<?= url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")->for_js() ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
el = $('<a href="<?= html::escape_for_js(url::site("admin/maintenance/start/gallery_task::update_l10n?csrf=$csrf")) ?>"></a>'); // this is a little hack to trigger the update_l10n task in a dialog
el.gallery_dialog();
el.trigger('click');
}
Expand Down
4 changes: 2 additions & 2 deletions modules/gallery/views/admin_maintenance.html.php
View file
Expand Up @@ -93,7 +93,7 @@ class="gButtonLink ui-icon-left ui-state-default ui-corner-all right">
<?= $task->status ?>
</td>
<td>
<?= SafeString::of($task->owner()->name) ?>
<?= html::clean($task->owner()->name) ?>
</td>
<td>
<? if ($task->state == "stalled"): ?>
Expand Down Expand Up @@ -164,7 +164,7 @@ class="gButtonLink ui-icon-left ui-state-default ui-corner-all right">
<?= $task->status ?>
</td>
<td>
<?= SafeString::of($task->owner()->name) ?>
<?= html::clean($task->owner()->name) ?>
</td>
<td>
<? if ($task->done): ?>
Expand Down
2 changes: 1 addition & 1 deletion modules/gallery/views/admin_maintenance_show_log.html.php
View file
Expand Up @@ -12,7 +12,7 @@
<div id="gTaskLogDialog">
<h1> <?= $task->name ?> </h1>
<div class="gTaskLog">
<pre><?= SafeString::purify($task->get_log()) ?></pre>
<pre><?= html::purify($task->get_log()) ?></pre>
</div>
<button id="gCloseButton" class="ui-state-default ui-corner-all" onclick="dismiss()"><?= t("Close") ?></button>
<button id="gSaveButton" class="ui-state-default ui-corner-all" onclick="download()"><?= t("Save") ?></button>
Expand Down

0 comments on commit b9bd168

Please sign in to comment.