Do all the html::clean|purify calls in the views and not the controll…

…er. Also clean the subject line and email message body of the contact user email.
gallery · Jan 28, 2010 · cedbc82 · cedbc82
1 parent bbe7011
commit cedbc82
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 6 deletions.
diff --git a/modules/gallery/controllers/user_profile.php b/modules/gallery/controllers/user_profile.php
@@ -53,11 +53,11 @@ public function send($id) {
     if ($form->validate()) {
       Sendmail::factory()
         ->to($user->email)
-        ->subject($form->message->subject->value)
+        ->subject(html::clean($form->message->subject->value))
         ->header("Mime-Version", "1.0")
         ->header("Content-type", "text/html; charset=iso-8859-1")
         ->reply_to($form->message->reply_to->value)
-        ->message($form->message->message->value)
+        ->message(html::purify($form->message->message->value))
         ->send();
       message::success(t("Sent message to %user_name", array("user_name" => $user->display_name())));
       print json_encode(array("result" => "success"));

diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php
@@ -411,7 +411,7 @@ static function show_user_profile($data) {
         if ($field == "locale") {
           $value = locales::display_name($value);
         }
-        $v->fields[(string) $label] = html::clean($value);
+        $v->fields[(string) $label] = $value;
       }
     }
     $data->content[] = (object) array("title" => t("User information"), "view" => $v);

diff --git a/modules/gallery/views/user_profile.html.php b/modules/gallery/views/user_profile.html.php
@@ -41,7 +41,7 @@ class="g-avatar" width="40" height="40" />
   <? foreach ($info_parts as $info): ?>
   <div>
     <fieldset>
-    <label><?= $info->title ?></label>
+    <label><?= html::purify($info->title) ?></label>
     <div>
     <?= $info->view ?>
     </div>

diff --git a/modules/gallery/views/user_profile_info.html.php b/modules/gallery/views/user_profile_info.html.php
@@ -3,7 +3,7 @@
   <? foreach ($fields as $field => $value): ?>
   <tr>
     <td><?= $field ?></td>
-    <td><?= $value ?></td>
+    <td><?= html::purify($value) ?></td>
   </tr>
   <? endforeach ?>
 </table>
diff --git a/modules/rest/views/user_profile_rest.html.php b/modules/rest/views/user_profile_rest.html.php
@@ -2,7 +2,7 @@
 <div id="g-rest-detail">
 <ul>
   <li id="g-rest-key">
-  <p><b><?= t("Key") ?></b>:<?= $rest_key ?></p>
+  <p><b><?= t("Key") ?></b>:<?= html::clean($rest_key) ?></p>
   </li>
 </ul>
 </div>