# HG changeset patch
# User Nathan Phillip Brink <ohnobinki@ohnopublishing.net>
# Date 2011-01-15 22:28:28
# Node ID 4ebd39f3f679c02f36badacab21812acbd8d1895
# Parent  d8a9840d33199e1d40366a55632df4e09adf02ee

Now all url()-style functions return actual URLs, whose return value must and now is escaped using htmlentities() when inserted into XHTML pages.

diff --git a/admin.php b/admin.php
--- a/admin.php
+++ b/admin.php
@@ -167,7 +167,7 @@ require_once('inc/admin.inc');
 </ul>
 
 <h3>Purge</h3>
-    <p>The highest saved_schedule id is <a href="<?php $max_saved = getMaxSaved(); echo Schedule::url($max_saved); ?>"><?php echo $max_saved;?></a>.</p>
+    <p>The highest saved_schedule id is <a href="<?php $max_saved = getMaxSaved(); echo htmlentities(Schedule::url($max_saved)); ?>"><?php echo $max_saved;?></a>.</p>
 <ul>
   <li><a href="admin.php?purge">Purge Entire Cache</a></li>
   <li>
diff --git a/class.schedule.php b/class.schedule.php
--- a/class.schedule.php
+++ b/class.schedule.php
@@ -285,7 +285,7 @@ class Schedule
       echo '  });
             </script>';
 
-      echo '<div id="sharedialog" title="Share Schedule"><p>You can share your schedule with the URL below:</p><p>'.$outputPage->gen_share_url($this->id_get()).'</p></div>';
+      echo '<div id="sharedialog" title="Share Schedule"><p>You can share your schedule with the URL below:</p><p>' . htmlentities($outputPage->gen_share_url($this->id_get())) . '</p></div>';
       echo '<p><span id="printItems"><a href="#">Print</a></span> :: <span id="share"><a href="#">Share</a></span> :: <a href="input.php">Home</a></p>';
       echo '<p class="centeredtext">Having problems? <a href="feedback.php">Let us know</a>.</p>';
       echo '<p class="centeredtext graytext"><em>Keyboard Shortcut: Left and right arrow keys switch between schedules</em></p>';
@@ -319,11 +319,11 @@ class Schedule
 	echo "    <div id=\"pagers\">\n";
 	/* Previous button */
 	if ($page > 0)
-	  echo '      <div id="pager-previous" class="pager left"><a href="' . $this->url($this->id, $page - 1) . '">&laquo; Previous</a></div>' . "\n";
+	  echo '      <div id="pager-previous" class="pager left"><a href="' . htmlentities($this->url($this->id, $page - 1)) . '">&laquo; Previous</a></div>' . "\n";
 
 	/* Next button */
 	if ($page + 1 < $npages)
-	  echo '      <div id="pager-next" class="pager right"><a href="' . $this->url($this->id, $page + 1) . '">Next &raquo;</a></div>' . "\n";
+	  echo '      <div id="pager-next" class="pager right"><a href="' . htmlentities($this->url($this->id, $page + 1)) . '">Next &raquo;</a></div>' . "\n";
 	echo "    </div> <!-- id=\"pagers\" -->\n";
 
 
@@ -521,6 +521,10 @@ class Schedule
    *   The ID of the schedule to link to. Defaults to the current schedule object.
    * \param $page
    *   The page of the schedule to link to. Defaults to 0.
+   * \return
+   *   A string, the URL used to access this schedule. Remember that
+   *   if this string is inserted into an XHTML document,
+   *   htmlentities() must be called on it.
    */
   function url($id = NULL, $page = 0)
   {
@@ -539,7 +543,7 @@ class Schedule
       $url .= '&';
 
     if ($page)
-      $url .= 'page=' . (int)$page . '&amp;';
+      $url .= 'page=' . (int)$page . '&';
 
     return $url;
   }
diff --git a/inc/class.page.php b/inc/class.page.php
--- a/inc/class.page.php
+++ b/inc/class.page.php
@@ -490,6 +490,11 @@ class page
   /**
    * \brief
    *   Generate a URL to a given schedule.
+   *
+   * \return
+   *   The URL used to access the schedule. You must call
+   *   htmlentities() on this string if it is to be inserted into an
+   *   XHTML document.
    */
   public function gen_share_url($id)
   {