Fixed various sanitization issues in time entry and activity output

time_tracker.admin.inc

@@ -309,7 +309,7 @@ function time_tracker_activity_table_form() {
       // The activity name.
       $form['activities'][$activity->taid]['name'] = array(
         '#type' => 'textfield',
-        '#default_value' => check_plain($activity->name),
+        '#default_value' => $activity->name,
       );
       // The weight (this is for the tabledrag we'll add in the theme function.
       $form['activities'][$activity->taid]['weight'] = array(
@@ -408,8 +408,8 @@ function time_tracker_delete_activity_confirm($form, &$form_state, $taid) {
       '#default_value' => $taid,
     );
     $question = t(
-      'Are you sure you want to delete the activity: !activity_name',
-      array('!activity_name' => _time_tracker_get_activity_name($taid))
+      'Are you sure you want to delete the activity: %activity_name',
+      array('%activity_name' => _time_tracker_get_activity_name($taid))
     );
     return confirm_form($form, $question, 'admin/config/time_tracker/activities');
   }

time_tracker.module

@@ -1001,9 +1001,10 @@ function time_tracker_time_entry_form($form, &$form_state, $info = array(), $tim
     else {
       $rounding_operation = 'rounded ' . $rounding_operation;
     }
-    $msg = t('Time rounding is ON. Time will be !rounded to the nearest !minutes minute interval.', array(
-      '!rounded' => $rounding_operation,
-      '!minutes' => $rounding_interval,
+    // TODO: change this to full string translations.
+    $msg = t('Time rounding is ON. Time will be @rounded to the nearest @minutes minute interval.', array(
+      '@rounded' => $rounding_operation,
+      '@minutes' => $rounding_interval,
     ));
     // Add it to the time_tracker fieldset.
     $form['time_tracker']['#description'] = $msg;
@@ -1141,7 +1142,9 @@ function time_tracker_time_entry_form($form, &$form_state, $info = array(), $tim
       if (isset($time_tracker_data->duration) && !($time_tracker_data->end) && !($time_tracker_data->start)) {
         $form['time_tracker']['duration_msg'] = array(
           '#prefix' => '<div class="description"><em>',
-          '#value' => t("A duration value exists for this time entry, but no Start and End time. <br/> Saving this entry with a Start and End time will overwrite the duration<br/> Logged Duration: <b>!duration</b>", array('!duration' => _time_tracker_format_hours_to_hours_and_minutes($time_tracker_data->duration))),
+          '#value' => t("A duration value exists for this time entry, but no Start and End time. <br/> Saving this entry with a Start and End time will overwrite the duration<br/> Logged Duration: <b>@duration</b>", array(
+            '@duration' => _time_tracker_format_hours_to_hours_and_minutes($time_tracker_data->duration)
+          )),
           '#suffix' => '</em></div>',
           '#weight' => 4,
         );

time_tracker.theme.inc

@@ -140,7 +140,7 @@ function theme_time_tracker_time_entry_table($variables) {
             'class' => 'time_entry_username',
           ),
           array( //Cell2
-            'data' => _time_tracker_get_activity_name($time_entry->activity),
+            'data' => filter_xss_admin(_time_tracker_get_activity_name($time_entry->activity)),
             'class' => 'time_entry_activity',
           ),
           array( //Cell3
@@ -167,7 +167,7 @@ function theme_time_tracker_time_entry_table($variables) {
       );
       // The note field is not optional
       $row['data'][] = array( //Cell5
-        'data' => $time_entry->note,
+        'data' => filter_xss($time_entry->note),
         'class' => 'time_entry_note',
       );
       if (variable_get('enable_billable_field', 0)) {
@@ -258,10 +258,7 @@ function theme_time_tracker_comment($variables) {
     $rows = array();
     $time = '';
 
-    $activity = _time_tracker_get_activity_name($time_entry->activity);
-    if ($activity) {
-      $activity = '(' . $activity . ') ';
-    }
+    $activity = filter_xss_admin(_time_tracker_get_activity_name($time_entry->activity));
 
     // If there is a time start and end, it's a time entry that was logged as an interval
     if ($time_entry->start && $time_entry->end) {
@@ -301,7 +298,7 @@ function theme_time_tracker_comment($variables) {
         );
       }
       $row['data'][] = array(
-        'data' => _time_tracker_get_activity_name($time_entry->activity),
+        'data' => $activity,
         'class' => 'time_entry_activity',
       );
       $row['data'][] = array(
@@ -338,7 +335,7 @@ function theme_time_tracker_comment($variables) {
       if (variable_get('enable_deductions_field', 0)) {
         $time_string['total_details'] = '(' . _time_tracker_format_hours_to_hours_and_minutes($time_entry->duration) . ' - ' . _time_tracker_format_hours_to_hours_and_minutes($time_entry->deductions) . ')';
       }
-      $time_string['activity'] = $activity;
+      $time_string['activity'] = $activity ? '(' . $activity . ') ' : $activity;
       $time_string['on'] = t('on');
       $time_string['time'] = format_date($time_entry->timestamp, 'custom', variable_get('timestamp_date_format', 'F d, Y'));
       if (variable_get('enable_billable_field', 0)) {

timer/time_tracker_timer.module

@@ -772,7 +772,9 @@ function theme_time_tracker_timer($variables) {
               'class' => 'stopped_timer_time timer_time timer_mine',
             ),
             array(
-              'data' => t('Your time has been entered below.  <a href="!hours_field_link">Please complete the form</a>', array('!hours_field_link' => base_path() . $hours_field_link)),
+              'data' => t('Your time has been entered below.  <a href="!url">Please complete the form</a>', array(
+                '!url' => check_url(base_path() . $hours_field_link),
+              )),
               'class' => 'stopped_timer_msg timer_msg timer_mine',
             ),
           ),

views/time_tracker.views.inc

@@ -23,19 +23,19 @@ function time_tracker_views_data() {
       $tracking = time_tracker_is_tracking_time($key, $bkey);
       if ($tracking) {
         $data['time_tracker_entry'][$type['entity keys']['id']] = array(
-          'title' => t($type['label']),
-          'help' => t('Relate an entry to its !label entity.', array('!label' => t($type['label']))),
+          'title' => $type['label'],
+          'help' => t('Relate an entry to its %label entity.', array('%label' => $type['label'])),
           'relationship' => array(
             'handler' => 'time_tracker_views_handler_relationship',
             'base' => $type['base table'],
             'base field' => $type['entity keys']['id'],
-            'label' => t($type['label'] . ' ID'),
+            'label' => t('%label ID', array('%label' => $type['label'])),
           ),
         );
         $data[$key]['time_tracker_entry'] = array(
           'title' => t('Time Tracker Entry'),
-          'help' => t('Relate an entity (@bundle_label) to its Time Tracker entries.', array(
-            '@bundle_label' => $bundle['label'],
+          'help' => t('Relate an entity (%bundle_label) to its Time Tracker entries.', array(
+            '%bundle_label' => $bundle['label'],
           )),
           'relationship' => array(
             'handler' => 'time_tracker_views_handler_relationship',