rjmackay · April 23, 2013 22:53
diff --git a/secfix-2013-001-themes-default.diff b/secfix-2013-001-themes-default.diff
 diff --git a/themes/default/css/style.css b/themes/default/css/style.css
 index f0ff34f..bb97676 100644
 --- a/themes/default/css/style.css
 +++ b/themes/default/css/style.css
 @@ -2126,3 +2126,10 @@ div.ci_checkin {
 .user-color { width:160px;height:20px; }
 .badges { float:left;padding-left:25px;width:275px;}
 .badge img { margin:5px; }
 +
 +.allowed-html {
 +  font-weight: normal;
 +	font-size: 10px;
 +	line-height: 12px;
 +	color: #a1a1a1;
 +}
 diff --git a/themes/default/views/blocks/main_reports.php b/themes/default/views/blocks/main_reports.php
 index a1895ae..c9ba452 100644
 --- a/themes/default/views/blocks/main_reports.php
 +++ b/themes/default/views/blocks/main_reports.php
 @@ -19,14 +19,14 @@
 		foreach ($incidents as $incident)
 		{
 			$incident_id = $incident->id;
 -			$incident_title = text::limit_chars(strip_tags($incident->incident_title), 40, '...', True);
 +			$incident_title = text::limit_chars(html::escape($incident->incident_title), 40, '...', True);
 			$incident_date = $incident->incident_date;
 			$incident_date = date('M j Y', strtotime($incident->incident_date));
 			$incident_location = $incident->location->location_name;
 		?>
 		<tr>
 -			<td><a href="<?php echo url::site() . 'reports/view/' . $incident_id; ?>"> <?php echo html::specialchars($incident_title) ?></a></td>
 -			<td><?php echo html::specialchars($incident_location) ?></td>
 +			<td><a href="<?php echo url::site() . 'reports/view/' . $incident_id; ?>"> <?php echo html::escape($incident_title) ?></a></td>
 +			<td><?php echo html::escape($incident_location) ?></td>
 			<td><?php echo $incident_date; ?></td>
 		</tr>
 		<?php
 diff --git a/themes/default/views/feed/atom.php b/themes/default/views/feed/atom.php
 index ad0882b..f9ab59f 100644
 --- a/themes/default/views/feed/atom.php
 +++ b/themes/default/views/feed/atom.php
 @@ -1,7 +1,7 @@
 -<?php echo "<?xml version=\"1.0\"?>"; ?>
 +<?php echo "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"; ?>
 <feed xmlns="http://www.w3.org/2005/Atom"<?php if(isset($georss)) echo ' xmlns:georss="http://www.georss.org/georss"';?>>
 -	<title type="text"><?php echo $feed_title; ?></title>
 -	<subtitle type="html"><?php echo $feed_description; ?></subtitle>
 +	<title type="text"><?php echo html::specialchars($feed_title); ?></title>
 +	<subtitle type="html"><?php echo html::specialchars($feed_description); ?></subtitle>
 	<updated><?php echo gmdate("c", strtotime($feed_date)); ?></updated>
 	<id><?php echo $feed_url; ?></id>
 	<link rel="alternate" type="text/html" href="<?php echo $site_url; ?>"/>
 @@ -15,14 +15,14 @@
 	foreach ($items as $item)
 	{?>
 		<entry>
 -			<title><?php echo $item['title']; ?></title>
 +			<title><?php echo html::specialchars($item['title']); ?></title>
 			<link rel="alternate" type="text/html" href="<?php echo $item['link']; ?>"/>
 			<updated><?php echo gmdate("c", strtotime($item['date'])); ?></updated>
 			<published><?php echo gmdate("c", strtotime($item['date'])); ?></published>
 			<content type="xhtml" xml:lang="en" 
 			xml:base="http://diveintomark.org/">
 			<div xmlns="http://www.w3.org/1999/xhtml">
 -			<?php echo $item['description']; ?>
 +			<?php echo html::clean($item['description']); ?>
 			</div>
 			</content>
 			<?php
 diff --git a/themes/default/views/feed/rss2.php b/themes/default/views/feed/rss2.php
 index dc11705..01de2e0 100644
 --- a/themes/default/views/feed/rss2.php
 +++ b/themes/default/views/feed/rss2.php
 @@ -1,10 +1,10 @@
 -<?php echo "<?xml version=\"1.0\"?>"; ?>
 +<?php echo "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"; ?>
 <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"<?php if(isset($georss)) echo ' xmlns:georss="http://www.georss.org/georss"';?>>
 	<channel>
 -		<title><?php echo $feed_title; ?></title>
 +		<title><?php echo html::specialchars($feed_title); ?></title>
 		<link><?php echo $site_url; ?></link>
 		<pubDate><?php echo gmdate("D, d M Y H:i:s T", strtotime($feed_date)); ?></pubDate>
 -		<description><?php echo $feed_description; ?></description>
 +		<description><?php echo html::specialchars($feed_description); ?></description>
 		<generator>Ushahidi Platform</generator>
 		<atom:link href="<?php echo $feed_url; ?>" rel="self" type="application/rss+xml" />
 		
 @@ -13,9 +13,9 @@
 
 		<?php foreach ($items as $item): ?>
 			<item>
 -			<title><?php echo htmlspecialchars($item['title']); ?></title>
 +			<title><?php echo html::specialchars($item['title']); ?></title>
 			<link><?php echo $item['link']; ?></link>
 -			<description><![CDATA[<?php echo htmlspecialchars($item['description'], ENT_COMPAT, 'UTF-8'); ?>]]></description>
 +			<description><![CDATA[<?php echo html::specialchars($item['description']); ?>]]></description>
 			<pubDate><?php echo gmdate("D, d M Y H:i:s T", strtotime($item['date'])); ?></pubDate>
 			<guid><?php if(isset($item['guid'])) echo $item['guid']; else echo $item['link'] ?></guid>
 
 @@ -24,7 +24,7 @@
 			<?php endif; ?>
 
 			<?php foreach ($item['categories'] as $category): ?>
 -				<category><?php echo htmlspecialchars($category); ?></category>
 +				<category><?php echo html::specialchars($category); ?></category>
 			<?php endforeach; ?>
 
 			<?php // Event::feed_rss_item - Add to the feed item ?>
 diff --git a/themes/default/views/header.php b/themes/default/views/header.php
 index 53e19ad..2e9c472 100644
 --- a/themes/default/views/header.php
 +++ b/themes/default/views/header.php
 @@ -89,7 +89,7 @@
 					</ul>
 
 					<?php if ($allow_feed == 1) { ?>
 -					<div class="feedicon"><a href="<?php echo url::site(); ?>feed/"><img alt="<?php echo htmlentities(Kohana::lang('ui_main.rss'), ENT_QUOTES); ?>" src="<?php echo url::file_loc('img'); ?>media/img/icon-feed.png" style="vertical-align: middle;" border="0" /></a></div>
 +					<div class="feedicon"><a href="<?php echo url::site(); ?>feed/"><img alt="<?php echo html::escape(Kohana::lang('ui_main.rss')); ?>" src="<?php echo url::file_loc('img'); ?>media/img/icon-feed.png" style="vertical-align: middle;" border="0" /></a></div>
 					<?php } ?>
 
 				</div>
 diff --git a/themes/default/views/main/layout.php b/themes/default/views/main/layout.php
 index bbc2a58..8147328 100755
 --- a/themes/default/views/main/layout.php
 +++ b/themes/default/views/main/layout.php
 @@ -49,12 +49,12 @@
 				<?php
 					foreach ($categories as $category => $category_info)
 					{
 -						$category_title = htmlentities($category_info[0], ENT_QUOTES, "UTF-8");
 +						$category_title = html::escape($category_info[0]);
 						$category_color = $category_info[1];
 						$category_image = ($category_info[2] != NULL)
 						    ? url::convert_uploaded_to_abs($category_info[2])
 						    : NULL;
 -						$category_description = htmlentities(Category_Lang_Model::category_description($category), ENT_QUOTES, "UTF-8");
 +						$category_description = html::escape(Category_Lang_Model::category_description($category));
 
 						$color_css = 'class="category-icon swatch" style="background-color:#'.$category_color.'"';
 						if ($category_info[2] != NULL)
 @@ -78,12 +78,12 @@
 							echo '<ul>';
 							foreach ($category_info[3] as $child => $child_info)
 							{
 -								$child_title = htmlentities($child_info[0], ENT_QUOTES, "UTF-8");
 +								$child_title = html::escape($child_info[0]);
 								$child_color = $child_info[1];
 								$child_image = ($child_info[2] != NULL)
 								    ? url::convert_uploaded_to_abs($child_info[2])
 								    : NULL;
 -								$child_description = htmlentities(Category_Lang_Model::category_description($child), ENT_QUOTES, "UTF-8");
 +								$child_description = html::escape(Category_Lang_Model::category_description($child));
 								
 								$color_css = 'class="category-icon swatch" style="background-color:#'.$child_color.'"';
 								if ($child_info[2] != NULL)
 diff --git a/themes/default/views/page.php b/themes/default/views/page.php
 index f474e0d..c78d642 100644
 --- a/themes/default/views/page.php
 +++ b/themes/default/views/page.php
 @@ -1,9 +1,9 @@
 <div id="content">
 	<div class="content-bg">
 		<div class="big-block">
 -			<h1><?php echo $page_title ?></h1>
 +			<h1><?php echo html::escape($page_title) ?></h1>
 			<div class="page_text"><?php 
 -			echo htmlspecialchars_decode($page_description);
 +			echo $page_description;
 			Event::run('ushahidi_action.page_extra', $page_id);
 			?></div>
 		</div>
 diff --git a/themes/default/views/profile/user.php b/themes/default/views/profile/user.php
 index adeadba..b1df0ce 100644
 --- a/themes/default/views/profile/user.php
 +++ b/themes/default/views/profile/user.php
 @@ -24,7 +24,7 @@
 					<h4><?php echo Kohana::lang('ui_main.reports_by_this_user');?></h4>
 					<?php foreach($reports as $report) { ?>
 						<div class="rb_report">
 -							<h5><a href="<?php echo url::site(); ?>reports/view/<?php echo $report->id; ?>"><?php echo strip_tags($report->incident_title); ?></a></h5>
 +							<h5><a href="<?php echo url::site(); ?>reports/view/<?php echo $report->id; ?>"><?php echo html::escape($report->incident_title); ?></a></h5>
 							<p class="r_date r-3 bottom-cap"><?php echo date('H:i M d, Y', strtotime($report->incident_date)); ?></p>
 							<p class="r_location"><?php echo html::specialchars($report->location->location_name); ?></p>
 						</div>
 diff --git a/themes/default/views/reports/comments.php b/themes/default/views/reports/comments.php
 index 07980b6..5d9a0ca 100644
 --- a/themes/default/views/reports/comments.php
 +++ b/themes/default/views/reports/comments.php
 @@ -8,10 +8,10 @@
 		<div class="report-comment-box">
 
 			<div>
 -				<strong><?php echo html::specialchars($comment->comment_author); ?></strong>&nbsp;(<?php echo date('M j Y', strtotime($comment->comment_date)); ?>)
 +				<strong><?php echo html::strip_tags($comment->comment_author); ?></strong>&nbsp;(<?php echo date('M j Y', strtotime($comment->comment_date)); ?>)
 			</div>
 
 -			<div><?php echo html::specialchars($comment->comment_description); ?></div>
 +			<div><?php echo html::escape($comment->comment_description); ?></div>
 
 		</div>
 	<?php endforeach; ?>
 diff --git a/themes/default/views/reports/detail.php b/themes/default/views/reports/detail.php
 index 0145e07..462ebe6 100755
 --- a/themes/default/views/reports/detail.php
 +++ b/themes/default/views/reports/detail.php
 @@ -14,7 +14,7 @@
   	  ?>
 
 		<h1 class="report-title"><?php
 -			echo htmlentities($incident_title, ENT_QUOTES, "UTF-8");
 +			echo html::escape($incident_title);
 
 			// If Admin is Logged In - Allow For Edit Link
 			if ($logged_in)
 @@ -78,7 +78,7 @@
 				echo '<div id="report-images">';
 				foreach ($incident_photos as $photo)
 				{
 -					echo '<a class="photothumb" rel="lightbox-group1" href="'.$photo['large'].'"><img alt="'.htmlentities($incident_title, ENT_QUOTES, "UTF-8").'" src="'.$photo['thumb'].'"/></a> ';
 +					echo '<a class="photothumb" rel="lightbox-group1" href="'.$photo['large'].'"><img alt="'.html::escape($incident_title).'" src="'.$photo['thumb'].'"/></a> ';
 				};
 				echo '</div>';
 			}
 @@ -103,7 +103,7 @@
 		<!-- start report description -->
 		<div class="report-description-text">
 			<h5><?php echo Kohana::lang('ui_main.reports_description');?></h5>
 -			<?php echo nl2br($incident_description); ?>
 +			<?php echo html::clean(nl2br($incident_description)); ?>
 			<br/>
 
 
 diff --git a/themes/default/views/reports/list.php b/themes/default/views/reports/list.php
 index abdd731..2ee0f25 100644
 --- a/themes/default/views/reports/list.php
 +++ b/themes/default/views/reports/list.php
 @@ -44,14 +44,14 @@
 				foreach ($incidents as $incident)
 				{
 					$incident_id = $incident->incident_id;
 -					$incident_title = strip_tags($incident->incident_title);
 -					$incident_description = strip_tags($incident->incident_description);
 +					$incident_title = html::strip_tags($incident->incident_title);
 +					$incident_description = html::strip_tags($incident->incident_description);
 					$incident_url = Incident_Model::get_url($incident_id);
 					//$incident_category = $incident->incident_category;
 					// Trim to 150 characters without cutting words
 					// XXX: Perhaps delcare 150 as constant
 
 -					$incident_description = text::limit_chars(strip_tags($incident_description), 140, "...", true);
 +					$incident_description = text::limit_chars(html::strip_tags($incident_description), 140, "...", true);
 					$incident_date = date('H:i M d, Y', strtotime($incident->incident_date));
 					//$incident_time = date('H:i', strtotime($incident->incident_date));
 					$location_id = $incident->location_id;
 @@ -88,7 +88,7 @@
 				<div id="incident_<?php echo $incident_id ?>" class="rb_report <?php echo $incident_verified_class; ?>">
 					<div class="r_media">
 						<p class="r_photo"> <a href="<?php echo $incident_url; ?>">
 -							<img alt="<?php echo htmlentities($incident_title, ENT_QUOTES, "UTF-8"); ?>" src="<?php echo $incident_thumb; ?>" /> </a>
 +							<img alt="<?php echo html::escape($incident_title); ?>" src="<?php echo $incident_thumb; ?>" /> </a>
 						</p>
 
 						<!-- Only show this if the report has a video -->
 @@ -126,7 +126,7 @@
 
 					<div class="r_details">
 						<h3><a class="r_title" href="<?php echo $incident_url; ?>">
 -								<?php echo htmlentities($incident_title, ENT_QUOTES, "UTF-8"); ?>
 +								<?php echo html::escape($incident_title); ?>
 							</a>
 							<a href="<?php echo "$incident_url#discussion"; ?>" class="r_comments">
 								<?php echo $comment_count; ?></a> 
 diff --git a/themes/default/views/reports/submit.php b/themes/default/views/reports/submit.php
 index be16ec8..3656923 100755
 --- a/themes/default/views/reports/submit.php
 +++ b/themes/default/views/reports/submit.php
 @@ -50,6 +50,7 @@
 				</div>
 				<div class="report_row">
 					<h4><?php echo Kohana::lang('ui_main.reports_description'); ?> <span class="required">*</span> </h4>
 +					<span class="allowed-html"><?php echo html::allowed_html(); ?></span>
 					<?php print form::textarea('incident_description', $form['incident_description'], ' rows="10" class="textarea long" ') ?>
 				</div>
 				<div class="report_row" id="datetime_default">
	diff --git a/themes/default/css/style.css b/themes/default/css/style.css
	index f0ff34f..bb97676 100644
	--- a/themes/default/css/style.css
	+++ b/themes/default/css/style.css
	@@ -2126,3 +2126,10 @@ div.ci_checkin {
	.user-color { width:160px;height:20px; }
	.badges { float:left;padding-left:25px;width:275px;}
	.badge img { margin:5px; }
	+
	+.allowed-html {
	+ font-weight: normal;
	+ font-size: 10px;
	+ line-height: 12px;
	+ color: #a1a1a1;
	+}
	diff --git a/themes/default/views/blocks/main_reports.php b/themes/default/views/blocks/main_reports.php
	index a1895ae..c9ba452 100644
	--- a/themes/default/views/blocks/main_reports.php
	+++ b/themes/default/views/blocks/main_reports.php
	@@ -19,14 +19,14 @@
	foreach ($incidents as $incident)
	{
	$incident_id = $incident->id;
	- $incident_title = text::limit_chars(strip_tags($incident->incident_title), 40, '...', True);
	+ $incident_title = text::limit_chars(html::escape($incident->incident_title), 40, '...', True);
	$incident_date = $incident->incident_date;
	$incident_date = date('M j Y', strtotime($incident->incident_date));
	$incident_location = $incident->location->location_name;
	?>
	<tr>
	- <td><a href="<?php echo url::site() . 'reports/view/' . $incident_id; ?>"> <?php echo html::specialchars($incident_title) ?></a></td>
	- <td><?php echo html::specialchars($incident_location) ?></td>
	+ <td><a href="<?php echo url::site() . 'reports/view/' . $incident_id; ?>"> <?php echo html::escape($incident_title) ?></a></td>
	+ <td><?php echo html::escape($incident_location) ?></td>
	<td><?php echo $incident_date; ?></td>
	</tr>
	<?php
	diff --git a/themes/default/views/feed/atom.php b/themes/default/views/feed/atom.php
	index ad0882b..f9ab59f 100644
	--- a/themes/default/views/feed/atom.php
	+++ b/themes/default/views/feed/atom.php
	@@ -1,7 +1,7 @@
	-<?php echo "<?xml version=\"1.0\"?>"; ?>
	+<?php echo "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"; ?>
	<feed xmlns="http://www.w3.org/2005/Atom"<?php if(isset($georss)) echo ' xmlns:georss="http://www.georss.org/georss"';?>>
	- <title type="text"><?php echo $feed_title; ?></title>
	- <subtitle type="html"><?php echo $feed_description; ?></subtitle>
	+ <title type="text"><?php echo html::specialchars($feed_title); ?></title>
	+ <subtitle type="html"><?php echo html::specialchars($feed_description); ?></subtitle>
	<updated><?php echo gmdate("c", strtotime($feed_date)); ?></updated>
	<id><?php echo $feed_url; ?></id>
	<link rel="alternate" type="text/html" href="<?php echo $site_url; ?>"/>
	@@ -15,14 +15,14 @@
	foreach ($items as $item)
	{?>
	<entry>
	- <title><?php echo $item['title']; ?></title>
	+ <title><?php echo html::specialchars($item['title']); ?></title>
	<link rel="alternate" type="text/html" href="<?php echo $item['link']; ?>"/>
	<updated><?php echo gmdate("c", strtotime($item['date'])); ?></updated>
	<published><?php echo gmdate("c", strtotime($item['date'])); ?></published>
	<content type="xhtml" xml:lang="en"
	xml:base="http://diveintomark.org/">
	<div xmlns="http://www.w3.org/1999/xhtml">
	- <?php echo $item['description']; ?>
	+ <?php echo html::clean($item['description']); ?>
	</div>
	</content>
	<?php
	diff --git a/themes/default/views/feed/rss2.php b/themes/default/views/feed/rss2.php
	index dc11705..01de2e0 100644
	--- a/themes/default/views/feed/rss2.php
	+++ b/themes/default/views/feed/rss2.php
	@@ -1,10 +1,10 @@
	-<?php echo "<?xml version=\"1.0\"?>"; ?>
	+<?php echo "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"; ?>
	<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"<?php if(isset($georss)) echo ' xmlns:georss="http://www.georss.org/georss"';?>>
	<channel>
	- <title><?php echo $feed_title; ?></title>
	+ <title><?php echo html::specialchars($feed_title); ?></title>
	<link><?php echo $site_url; ?></link>
	<pubDate><?php echo gmdate("D, d M Y H:i:s T", strtotime($feed_date)); ?></pubDate>
	- <description><?php echo $feed_description; ?></description>
	+ <description><?php echo html::specialchars($feed_description); ?></description>
	<generator>Ushahidi Platform</generator>
	<atom:link href="<?php echo $feed_url; ?>" rel="self" type="application/rss+xml" />

	@@ -13,9 +13,9 @@

	<?php foreach ($items as $item): ?>
	<item>
	- <title><?php echo htmlspecialchars($item['title']); ?></title>
	+ <title><?php echo html::specialchars($item['title']); ?></title>
	<link><?php echo $item['link']; ?></link>
	- <description><![CDATA[<?php echo htmlspecialchars($item['description'], ENT_COMPAT, 'UTF-8'); ?>]]></description>
	+ <description><![CDATA[<?php echo html::specialchars($item['description']); ?>]]></description>
	<pubDate><?php echo gmdate("D, d M Y H:i:s T", strtotime($item['date'])); ?></pubDate>
	<guid><?php if(isset($item['guid'])) echo $item['guid']; else echo $item['link'] ?></guid>

	@@ -24,7 +24,7 @@
	<?php endif; ?>

	<?php foreach ($item['categories'] as $category): ?>
	- <category><?php echo htmlspecialchars($category); ?></category>
	+ <category><?php echo html::specialchars($category); ?></category>
	<?php endforeach; ?>

	<?php // Event::feed_rss_item - Add to the feed item ?>
	diff --git a/themes/default/views/header.php b/themes/default/views/header.php
	index 53e19ad..2e9c472 100644
	--- a/themes/default/views/header.php
	+++ b/themes/default/views/header.php
	@@ -89,7 +89,7 @@
	</ul>

	<?php if ($allow_feed == 1) { ?>
	- <div class="feedicon"><a href="<?php echo url::site(); ?>feed/"><img alt="<?php echo htmlentities(Kohana::lang('ui_main.rss'), ENT_QUOTES); ?>" src="<?php echo url::file_loc('img'); ?>media/img/icon-feed.png" style="vertical-align: middle;" border="0" /></a></div>
	+ <div class="feedicon"><a href="<?php echo url::site(); ?>feed/"><img alt="<?php echo html::escape(Kohana::lang('ui_main.rss')); ?>" src="<?php echo url::file_loc('img'); ?>media/img/icon-feed.png" style="vertical-align: middle;" border="0" /></a></div>
	<?php } ?>

	</div>
	diff --git a/themes/default/views/main/layout.php b/themes/default/views/main/layout.php
	index bbc2a58..8147328 100755
	--- a/themes/default/views/main/layout.php
	+++ b/themes/default/views/main/layout.php
	@@ -49,12 +49,12 @@
	<?php
	foreach ($categories as $category => $category_info)
	{
	- $category_title = htmlentities($category_info[0], ENT_QUOTES, "UTF-8");
	+ $category_title = html::escape($category_info[0]);
	$category_color = $category_info[1];
	$category_image = ($category_info[2] != NULL)
	? url::convert_uploaded_to_abs($category_info[2])
	: NULL;
	- $category_description = htmlentities(Category_Lang_Model::category_description($category), ENT_QUOTES, "UTF-8");
	+ $category_description = html::escape(Category_Lang_Model::category_description($category));

	$color_css = 'class="category-icon swatch" style="background-color:#'.$category_color.'"';
	if ($category_info[2] != NULL)
	@@ -78,12 +78,12 @@
	echo '<ul>';
	foreach ($category_info[3] as $child => $child_info)
	{
	- $child_title = htmlentities($child_info[0], ENT_QUOTES, "UTF-8");
	+ $child_title = html::escape($child_info[0]);
	$child_color = $child_info[1];
	$child_image = ($child_info[2] != NULL)
	? url::convert_uploaded_to_abs($child_info[2])
	: NULL;
	- $child_description = htmlentities(Category_Lang_Model::category_description($child), ENT_QUOTES, "UTF-8");
	+ $child_description = html::escape(Category_Lang_Model::category_description($child));

	$color_css = 'class="category-icon swatch" style="background-color:#'.$child_color.'"';
	if ($child_info[2] != NULL)
	diff --git a/themes/default/views/page.php b/themes/default/views/page.php
	index f474e0d..c78d642 100644
	--- a/themes/default/views/page.php
	+++ b/themes/default/views/page.php
	@@ -1,9 +1,9 @@
	<div id="content">
	<div class="content-bg">
	<div class="big-block">
	- <h1><?php echo $page_title ?></h1>
	+ <h1><?php echo html::escape($page_title) ?></h1>
	<div class="page_text"><?php
	- echo htmlspecialchars_decode($page_description);
	+ echo $page_description;
	Event::run('ushahidi_action.page_extra', $page_id);
	?></div>
	</div>
	diff --git a/themes/default/views/profile/user.php b/themes/default/views/profile/user.php
	index adeadba..b1df0ce 100644
	--- a/themes/default/views/profile/user.php
	+++ b/themes/default/views/profile/user.php
	@@ -24,7 +24,7 @@
	<h4><?php echo Kohana::lang('ui_main.reports_by_this_user');?></h4>
	<?php foreach($reports as $report) { ?>
	<div class="rb_report">
	- <h5><a href="<?php echo url::site(); ?>reports/view/<?php echo $report->id; ?>"><?php echo strip_tags($report->incident_title); ?></a></h5>
	+ <h5><a href="<?php echo url::site(); ?>reports/view/<?php echo $report->id; ?>"><?php echo html::escape($report->incident_title); ?></a></h5>
	<p class="r_date r-3 bottom-cap"><?php echo date('H:i M d, Y', strtotime($report->incident_date)); ?></p>
	<p class="r_location"><?php echo html::specialchars($report->location->location_name); ?></p>
	</div>
	diff --git a/themes/default/views/reports/comments.php b/themes/default/views/reports/comments.php
	index 07980b6..5d9a0ca 100644
	--- a/themes/default/views/reports/comments.php
	+++ b/themes/default/views/reports/comments.php
	@@ -8,10 +8,10 @@
	<div class="report-comment-box">

	<div>
	- <strong><?php echo html::specialchars($comment->comment_author); ?></strong> (<?php echo date('M j Y', strtotime($comment->comment_date)); ?>)
	+ <strong><?php echo html::strip_tags($comment->comment_author); ?></strong> (<?php echo date('M j Y', strtotime($comment->comment_date)); ?>)
	</div>

	- <div><?php echo html::specialchars($comment->comment_description); ?></div>
	+ <div><?php echo html::escape($comment->comment_description); ?></div>

	</div>
	<?php endforeach; ?>
	diff --git a/themes/default/views/reports/detail.php b/themes/default/views/reports/detail.php
	index 0145e07..462ebe6 100755
	--- a/themes/default/views/reports/detail.php
	+++ b/themes/default/views/reports/detail.php
	@@ -14,7 +14,7 @@
	?>

	<h1 class="report-title"><?php
	- echo htmlentities($incident_title, ENT_QUOTES, "UTF-8");
	+ echo html::escape($incident_title);

	// If Admin is Logged In - Allow For Edit Link
	if ($logged_in)
	@@ -78,7 +78,7 @@
	echo '<div id="report-images">';
	foreach ($incident_photos as $photo)
	{
	- echo '<a class="photothumb" rel="lightbox-group1" href="'.$photo['large'].'"><img alt="'.htmlentities($incident_title, ENT_QUOTES, "UTF-8").'" src="'.$photo['thumb'].'"/></a> ';
	+ echo '<a class="photothumb" rel="lightbox-group1" href="'.$photo['large'].'"><img alt="'.html::escape($incident_title).'" src="'.$photo['thumb'].'"/></a> ';
	};
	echo '</div>';
	}
	@@ -103,7 +103,7 @@
	<!-- start report description -->
	<div class="report-description-text">
	<h5><?php echo Kohana::lang('ui_main.reports_description');?></h5>
	- <?php echo nl2br($incident_description); ?>
	+ <?php echo html::clean(nl2br($incident_description)); ?>
	<br/>


	diff --git a/themes/default/views/reports/list.php b/themes/default/views/reports/list.php
	index abdd731..2ee0f25 100644
	--- a/themes/default/views/reports/list.php
	+++ b/themes/default/views/reports/list.php
	@@ -44,14 +44,14 @@
	foreach ($incidents as $incident)
	{
	$incident_id = $incident->incident_id;
	- $incident_title = strip_tags($incident->incident_title);
	- $incident_description = strip_tags($incident->incident_description);
	+ $incident_title = html::strip_tags($incident->incident_title);
	+ $incident_description = html::strip_tags($incident->incident_description);
	$incident_url = Incident_Model::get_url($incident_id);
	//$incident_category = $incident->incident_category;
	// Trim to 150 characters without cutting words
	// XXX: Perhaps delcare 150 as constant

	- $incident_description = text::limit_chars(strip_tags($incident_description), 140, "...", true);
	+ $incident_description = text::limit_chars(html::strip_tags($incident_description), 140, "...", true);
	$incident_date = date('H:i M d, Y', strtotime($incident->incident_date));
	//$incident_time = date('H:i', strtotime($incident->incident_date));
	$location_id = $incident->location_id;
	@@ -88,7 +88,7 @@
	<div id="incident_<?php echo $incident_id ?>" class="rb_report <?php echo $incident_verified_class; ?>">
	<div class="r_media">
	<p class="r_photo"> <a href="<?php echo $incident_url; ?>">
	- <img alt="<?php echo htmlentities($incident_title, ENT_QUOTES, "UTF-8"); ?>" src="<?php echo $incident_thumb; ?>" /> </a>
	+ <img alt="<?php echo html::escape($incident_title); ?>" src="<?php echo $incident_thumb; ?>" /> </a>
	</p>

	<!-- Only show this if the report has a video -->
	@@ -126,7 +126,7 @@

	<div class="r_details">
	<h3><a class="r_title" href="<?php echo $incident_url; ?>">
	- <?php echo htmlentities($incident_title, ENT_QUOTES, "UTF-8"); ?>
	+ <?php echo html::escape($incident_title); ?>
	</a>
	<a href="<?php echo "$incident_url#discussion"; ?>" class="r_comments">
	<?php echo $comment_count; ?></a>
	diff --git a/themes/default/views/reports/submit.php b/themes/default/views/reports/submit.php
	index be16ec8..3656923 100755
	--- a/themes/default/views/reports/submit.php
	+++ b/themes/default/views/reports/submit.php
	@@ -50,6 +50,7 @@
	</div>
	<div class="report_row">
	<h4><?php echo Kohana::lang('ui_main.reports_description'); ?> <span class="required">*</span> </h4>
	+ <span class="allowed-html"><?php echo html::allowed_html(); ?></span>
	<?php print form::textarea('incident_description', $form['incident_description'], ' rows="10" class="textarea long" ') ?>
	</div>
	<div class="report_row" id="datetime_default">