rjmackay/secfix-2013-001-themes-default.diff

## secfix-2013-001-themes-default.diff
diff --git a/themes/default/css/style.css b/themes/default/css/style.css
index f0ff34f..bb97676 100644
--- a/themes/default/css/style.css
+++ b/themes/default/css/style.css
@@ -2126,3 +2126,10 @@ div.ci_checkin {
 .user-color { width:160px;height:20px; }
 .badges { float:left;padding-left:25px;width:275px;}
 .badge img { margin:5px; }
+
+.allowed-html {
+  font-weight: normal;
+	font-size: 10px;
+	line-height: 12px;
+	color: #a1a1a1;
+}
diff --git a/themes/default/views/blocks/main_reports.php b/themes/default/views/blocks/main_reports.php
index a1895ae..c9ba452 100644
--- a/themes/default/views/blocks/main_reports.php
+++ b/themes/default/views/blocks/main_reports.php
@@ -19,14 +19,14 @@
 		foreach ($incidents as $incident)
 		{
 			$incident_id = $incident->id;
-			$incident_title = text::limit_chars(strip_tags($incident->incident_title), 40, '...', True);
+			$incident_title = text::limit_chars(html::escape($incident->incident_title), 40, '...', True);
 			$incident_date = $incident->incident_date;
 			$incident_date = date('M j Y', strtotime($incident->incident_date));
 			$incident_location = $incident->location->location_name;
 		?>
 		<tr>
-			<td><a href="<?php echo url::site() . 'reports/view/' . $incident_id; ?>"> <?php echo html::specialchars($incident_title) ?></a></td>
-			<td><?php echo html::specialchars($incident_location) ?></td>
+			<td><a href="<?php echo url::site() . 'reports/view/' . $incident_id; ?>"> <?php echo html::escape($incident_title) ?></a></td>
+			<td><?php echo html::escape($incident_location) ?></td>
 			<td><?php echo $incident_date; ?></td>
 		</tr>
 		<?php
diff --git a/themes/default/views/feed/atom.php b/themes/default/views/feed/atom.php
index ad0882b..f9ab59f 100644
--- a/themes/default/views/feed/atom.php
+++ b/themes/default/views/feed/atom.php
@@ -1,7 +1,7 @@
-<?php echo "<?xml version=\"1.0\"?>"; ?>
+<?php echo "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"; ?>
 <feed xmlns="http://www.w3.org/2005/Atom"<?php if(isset($georss)) echo ' xmlns:georss="http://www.georss.org/georss"';?>>
-	<title type="text"><?php echo $feed_title; ?></title>
-	<subtitle type="html"><?php echo $feed_description; ?></subtitle>
+	<title type="text"><?php echo html::specialchars($feed_title); ?></title>
+	<subtitle type="html"><?php echo html::specialchars($feed_description); ?></subtitle>
 	<updated><?php echo gmdate("c", strtotime($feed_date)); ?></updated>
 	<id><?php echo $feed_url; ?></id>
 	<link rel="alternate" type="text/html" href="<?php echo $site_url; ?>"/>
@@ -15,14 +15,14 @@
 	foreach ($items as $item)
 	{?>
 		<entry>
-			<title><?php echo $item['title']; ?></title>
+			<title><?php echo html::specialchars($item['title']); ?></title>
 			<link rel="alternate" type="text/html" href="<?php echo $item['link']; ?>"/>
 			<updated><?php echo gmdate("c", strtotime($item['date'])); ?></updated>
 			<published><?php echo gmdate("c", strtotime($item['date'])); ?></published>
 			<content type="xhtml" xml:lang="en"
 			xml:base="http://diveintomark.org/">
 			<div xmlns="http://www.w3.org/1999/xhtml">
-			<?php echo $item['description']; ?>
+			<?php echo html::clean($item['description']); ?>
 			</div>
 			</content>
 			<?php
diff --git a/themes/default/views/feed/rss2.php b/themes/default/views/feed/rss2.php
index dc11705..01de2e0 100644
--- a/themes/default/views/feed/rss2.php
+++ b/themes/default/views/feed/rss2.php
@@ -1,10 +1,10 @@
-<?php echo "<?xml version=\"1.0\"?>"; ?>
+<?php echo "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"; ?>
 <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"<?php if(isset($georss)) echo ' xmlns:georss="http://www.georss.org/georss"';?>>
 	<channel>
-		<title><?php echo $feed_title; ?></title>
+		<title><?php echo html::specialchars($feed_title); ?></title>
 		<link><?php echo $site_url; ?></link>
 		<pubDate><?php echo gmdate("D, d M Y H:i:s T", strtotime($feed_date)); ?></pubDate>
-		<description><?php echo $feed_description; ?></description>
+		<description><?php echo html::specialchars($feed_description); ?></description>
 		<generator>Ushahidi Platform</generator>
 		<atom:link href="<?php echo $feed_url; ?>" rel="self" type="application/rss+xml" />

@@ -13,9 +13,9 @@

 		<?php foreach ($items as $item): ?>
 			<item>
-			<title><?php echo htmlspecialchars($item['title']); ?></title>
+			<title><?php echo html::specialchars($item['title']); ?></title>
 			<link><?php echo $item['link']; ?></link>
-			<description><![CDATA[<?php echo htmlspecialchars($item['description'], ENT_COMPAT, 'UTF-8'); ?>]]></description>
+			<description><![CDATA[<?php echo html::specialchars($item['description']); ?>]]></description>
 			<pubDate><?php echo gmdate("D, d M Y H:i:s T", strtotime($item['date'])); ?></pubDate>
 			<guid><?php if(isset($item['guid'])) echo $item['guid']; else echo $item['link'] ?></guid>

@@ -24,7 +24,7 @@
 			<?php endif; ?>

 			<?php foreach ($item['categories'] as $category): ?>
-				<category><?php echo htmlspecialchars($category); ?></category>
+				<category><?php echo html::specialchars($category); ?></category>
 			<?php endforeach; ?>

 			<?php // Event::feed_rss_item - Add to the feed item ?>
diff --git a/themes/default/views/header.php b/themes/default/views/header.php
index 53e19ad..2e9c472 100644
--- a/themes/default/views/header.php
+++ b/themes/default/views/header.php
@@ -89,7 +89,7 @@
 					</ul>

 					<?php if ($allow_feed == 1) { ?>
-					<div class="feedicon"><a href="<?php echo url::site(); ?>feed/"><img alt="<?php echo htmlentities(Kohana::lang('ui_main.rss'), ENT_QUOTES); ?>" src="<?php echo url::file_loc('img'); ?>media/img/icon-feed.png" style="vertical-align: middle;" border="0" /></a></div>
+					<div class="feedicon"><a href="<?php echo url::site(); ?>feed/"><img alt="<?php echo html::escape(Kohana::lang('ui_main.rss')); ?>" src="<?php echo url::file_loc('img'); ?>media/img/icon-feed.png" style="vertical-align: middle;" border="0" /></a></div>
 					<?php } ?>

 				</div>
diff --git a/themes/default/views/main/layout.php b/themes/default/views/main/layout.php
index bbc2a58..8147328 100755
--- a/themes/default/views/main/layout.php
+++ b/themes/default/views/main/layout.php
@@ -49,12 +49,12 @@
 				<?php
 					foreach ($categories as $category => $category_info)
 					{
-						$category_title = htmlentities($category_info[0], ENT_QUOTES, "UTF-8");
+						$category_title = html::escape($category_info[0]);
 						$category_color = $category_info[1];
 						$category_image = ($category_info[2] != NULL)
 						    ? url::convert_uploaded_to_abs($category_info[2])
 						    : NULL;
-						$category_description = htmlentities(Category_Lang_Model::category_description($category), ENT_QUOTES, "UTF-8");
+						$category_description = html::escape(Category_Lang_Model::category_description($category));

 						$color_css = 'class="category-icon swatch" style="background-color:#'.$category_color.'"';
 						if ($category_info[2] != NULL)
@@ -78,12 +78,12 @@
 							echo '<ul>';
 							foreach ($category_info[3] as $child => $child_info)
 							{
-								$child_title = htmlentities($child_info[0], ENT_QUOTES, "UTF-8");
+								$child_title = html::escape($child_info[0]);
 								$child_color = $child_info[1];
 								$child_image = ($child_info[2] != NULL)
 								    ? url::convert_uploaded_to_abs($child_info[2])
 								    : NULL;
-								$child_description = htmlentities(Category_Lang_Model::category_description($child), ENT_QUOTES, "UTF-8");
+								$child_description = html::escape(Category_Lang_Model::category_description($child));

 								$color_css = 'class="category-icon swatch" style="background-color:#'.$child_color.'"';
 								if ($child_info[2] != NULL)
diff --git a/themes/default/views/page.php b/themes/default/views/page.php
index f474e0d..c78d642 100644
--- a/themes/default/views/page.php
+++ b/themes/default/views/page.php
@@ -1,9 +1,9 @@
 <div id="content">
 	<div class="content-bg">
 		<div class="big-block">
-			<h1><?php echo $page_title ?></h1>
+			<h1><?php echo html::escape($page_title) ?></h1>
 			<div class="page_text"><?php
-			echo htmlspecialchars_decode($page_description);
+			echo $page_description;
 			Event::run('ushahidi_action.page_extra', $page_id);
 			?></div>
 		</div>
diff --git a/themes/default/views/profile/user.php b/themes/default/views/profile/user.php
index adeadba..b1df0ce 100644
--- a/themes/default/views/profile/user.php
+++ b/themes/default/views/profile/user.php
@@ -24,7 +24,7 @@
 					<h4><?php echo Kohana::lang('ui_main.reports_by_this_user');?></h4>
 					<?php foreach($reports as $report) { ?>
 						<div class="rb_report">
-							<h5><a href="<?php echo url::site(); ?>reports/view/<?php echo $report->id; ?>"><?php echo strip_tags($report->incident_title); ?></a></h5>
+							<h5><a href="<?php echo url::site(); ?>reports/view/<?php echo $report->id; ?>"><?php echo html::escape($report->incident_title); ?></a></h5>
 							<p class="r_date r-3 bottom-cap"><?php echo date('H:i M d, Y', strtotime($report->incident_date)); ?></p>
 							<p class="r_location"><?php echo html::specialchars($report->location->location_name); ?></p>
 						</div>
diff --git a/themes/default/views/reports/comments.php b/themes/default/views/reports/comments.php
index 07980b6..5d9a0ca 100644
--- a/themes/default/views/reports/comments.php
+++ b/themes/default/views/reports/comments.php
@@ -8,10 +8,10 @@
 		<div class="report-comment-box">

 			<div>
-				<strong><?php echo html::specialchars($comment->comment_author); ?></strong>&nbsp;(<?php echo date('M j Y', strtotime($comment->comment_date)); ?>)
+				<strong><?php echo html::strip_tags($comment->comment_author); ?></strong>&nbsp;(<?php echo date('M j Y', strtotime($comment->comment_date)); ?>)
 			</div>

-			<div><?php echo html::specialchars($comment->comment_description); ?></div>
+			<div><?php echo html::escape($comment->comment_description); ?></div>

 		</div>
 	<?php endforeach; ?>
diff --git a/themes/default/views/reports/detail.php b/themes/default/views/reports/detail.php
index 0145e07..462ebe6 100755
--- a/themes/default/views/reports/detail.php
+++ b/themes/default/views/reports/detail.php
@@ -14,7 +14,7 @@
   	  ?>

 		<h1 class="report-title"><?php
-			echo htmlentities($incident_title, ENT_QUOTES, "UTF-8");
+			echo html::escape($incident_title);

 			// If Admin is Logged In - Allow For Edit Link
 			if ($logged_in)
@@ -78,7 +78,7 @@
 				echo '<div id="report-images">';
 				foreach ($incident_photos as $photo)
 				{
-					echo '<a class="photothumb" rel="lightbox-group1" href="'.$photo['large'].'"><img alt="'.htmlentities($incident_title, ENT_QUOTES, "UTF-8").'" src="'.$photo['thumb'].'"/></a> ';
+					echo '<a class="photothumb" rel="lightbox-group1" href="'.$photo['large'].'"><img alt="'.html::escape($incident_title).'" src="'.$photo['thumb'].'"/></a> ';
 				};
 				echo '</div>';
 			}
@@ -103,7 +103,7 @@
 		<!-- start report description -->
 		<div class="report-description-text">
 			<h5><?php echo Kohana::lang('ui_main.reports_description');?></h5>
-			<?php echo nl2br($incident_description); ?>
+			<?php echo html::clean(nl2br($incident_description)); ?>
 			<br/>


diff --git a/themes/default/views/reports/list.php b/themes/default/views/reports/list.php
index abdd731..2ee0f25 100644
--- a/themes/default/views/reports/list.php
+++ b/themes/default/views/reports/list.php
@@ -44,14 +44,14 @@
 				foreach ($incidents as $incident)
 				{
 					$incident_id = $incident->incident_id;
-					$incident_title = strip_tags($incident->incident_title);
-					$incident_description = strip_tags($incident->incident_description);
+					$incident_title = html::strip_tags($incident->incident_title);
+					$incident_description = html::strip_tags($incident->incident_description);
 					$incident_url = Incident_Model::get_url($incident_id);
 					//$incident_category = $incident->incident_category;
 					// Trim to 150 characters without cutting words
 					// XXX: Perhaps delcare 150 as constant

-					$incident_description = text::limit_chars(strip_tags($incident_description), 140, "...", true);
+					$incident_description = text::limit_chars(html::strip_tags($incident_description), 140, "...", true);
 					$incident_date = date('H:i M d, Y', strtotime($incident->incident_date));
 					//$incident_time = date('H:i', strtotime($incident->incident_date));
 					$location_id = $incident->location_id;
@@ -88,7 +88,7 @@
 				<div id="incident_<?php echo $incident_id ?>" class="rb_report <?php echo $incident_verified_class; ?>">
 					<div class="r_media">
 						<p class="r_photo"> <a href="<?php echo $incident_url; ?>">
-							<img alt="<?php echo htmlentities($incident_title, ENT_QUOTES, "UTF-8"); ?>" src="<?php echo $incident_thumb; ?>" /> </a>
+							<img alt="<?php echo html::escape($incident_title); ?>" src="<?php echo $incident_thumb; ?>" /> </a>
 						</p>

 						<!-- Only show this if the report has a video -->
@@ -126,7 +126,7 @@

 					<div class="r_details">
 						<h3><a class="r_title" href="<?php echo $incident_url; ?>">
-								<?php echo htmlentities($incident_title, ENT_QUOTES, "UTF-8"); ?>
+								<?php echo html::escape($incident_title); ?>
 							</a>
 							<a href="<?php echo "$incident_url#discussion"; ?>" class="r_comments">
 								<?php echo $comment_count; ?></a>
diff --git a/themes/default/views/reports/submit.php b/themes/default/views/reports/submit.php
index be16ec8..3656923 100755
--- a/themes/default/views/reports/submit.php
+++ b/themes/default/views/reports/submit.php
@@ -50,6 +50,7 @@
 				</div>
 				<div class="report_row">
 					<h4><?php echo Kohana::lang('ui_main.reports_description'); ?> <span class="required">*</span> </h4>
+					<span class="allowed-html"><?php echo html::allowed_html(); ?></span>
 					<?php print form::textarea('incident_description', $form['incident_description'], ' rows="10" class="textarea long" ') ?>
 				</div>
 				<div class="report_row" id="datetime_default">
	diff --git a/themes/default/css/style.css b/themes/default/css/style.css
	index f0ff34f..bb97676 100644
	--- a/themes/default/css/style.css
	+++ b/themes/default/css/style.css
	@@ -2126,3 +2126,10 @@ div.ci_checkin {
	.user-color { width:160px;height:20px; }
	.badges { float:left;padding-left:25px;width:275px;}
	.badge img { margin:5px; }
	+
	+.allowed-html {
	+ font-weight: normal;
	+ font-size: 10px;
	+ line-height: 12px;
	+ color: #a1a1a1;
	+}
	diff --git a/themes/default/views/blocks/main_reports.php b/themes/default/views/blocks/main_reports.php
	index a1895ae..c9ba452 100644
	--- a/themes/default/views/blocks/main_reports.php
	+++ b/themes/default/views/blocks/main_reports.php
	@@ -19,14 +19,14 @@
	foreach ($incidents as $incident)
	{
	$incident_id = $incident->id;
	- $incident_title = text::limit_chars(strip_tags($incident->incident_title), 40, '...', True);
	+ $incident_title = text::limit_chars(html::escape($incident->incident_title), 40, '...', True);
	$incident_date = $incident->incident_date;
	$incident_date = date('M j Y', strtotime($incident->incident_date));
	$incident_location = $incident->location->location_name;
	?>
	<tr>
	- <td><a href="<?php echo url::site() . 'reports/view/' . $incident_id; ?>"> <?php echo html::specialchars($incident_title) ?></a></td>
	- <td><?php echo html::specialchars($incident_location) ?></td>
	+ <td><a href="<?php echo url::site() . 'reports/view/' . $incident_id; ?>"> <?php echo html::escape($incident_title) ?></a></td>
	+ <td><?php echo html::escape($incident_location) ?></td>
	<td><?php echo $incident_date; ?></td>
	</tr>
	<?php
	diff --git a/themes/default/views/feed/atom.php b/themes/default/views/feed/atom.php
	index ad0882b..f9ab59f 100644
	--- a/themes/default/views/feed/atom.php
	+++ b/themes/default/views/feed/atom.php
	@@ -1,7 +1,7 @@
	-<?php echo "<?xml version=\"1.0\"?>"; ?>
	+<?php echo "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"; ?>
	<feed xmlns="http://www.w3.org/2005/Atom"<?php if(isset($georss)) echo ' xmlns:georss="http://www.georss.org/georss"';?>>
	- <title type="text"><?php echo $feed_title; ?></title>
	- <subtitle type="html"><?php echo $feed_description; ?></subtitle>
	+ <title type="text"><?php echo html::specialchars($feed_title); ?></title>
	+ <subtitle type="html"><?php echo html::specialchars($feed_description); ?></subtitle>
	<updated><?php echo gmdate("c", strtotime($feed_date)); ?></updated>
	<id><?php echo $feed_url; ?></id>
	<link rel="alternate" type="text/html" href="<?php echo $site_url; ?>"/>
	@@ -15,14 +15,14 @@
	foreach ($items as $item)
	{?>
	<entry>
	- <title><?php echo $item['title']; ?></title>
	+ <title><?php echo html::specialchars($item['title']); ?></title>
	<link rel="alternate" type="text/html" href="<?php echo $item['link']; ?>"/>
	<updated><?php echo gmdate("c", strtotime($item['date'])); ?></updated>
	<published><?php echo gmdate("c", strtotime($item['date'])); ?></published>
	<content type="xhtml" xml:lang="en"
	xml:base="http://diveintomark.org/">
	<div xmlns="http://www.w3.org/1999/xhtml">
	- <?php echo $item['description']; ?>
	+ <?php echo html::clean($item['description']); ?>
	</div>
	</content>
	<?php
	diff --git a/themes/default/views/feed/rss2.php b/themes/default/views/feed/rss2.php
	index dc11705..01de2e0 100644
	--- a/themes/default/views/feed/rss2.php
	+++ b/themes/default/views/feed/rss2.php
	@@ -1,10 +1,10 @@
	-<?php echo "<?xml version=\"1.0\"?>"; ?>
	+<?php echo "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"; ?>
	<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"<?php if(isset($georss)) echo ' xmlns:georss="http://www.georss.org/georss"';?>>
	<channel>
	- <title><?php echo $feed_title; ?></title>
	+ <title><?php echo html::specialchars($feed_title); ?></title>
	<link><?php echo $site_url; ?></link>
	<pubDate><?php echo gmdate("D, d M Y H:i:s T", strtotime($feed_date)); ?></pubDate>
	- <description><?php echo $feed_description; ?></description>
	+ <description><?php echo html::specialchars($feed_description); ?></description>
	<generator>Ushahidi Platform</generator>
	<atom:link href="<?php echo $feed_url; ?>" rel="self" type="application/rss+xml" />

	@@ -13,9 +13,9 @@

	<?php foreach ($items as $item): ?>
	<item>
	- <title><?php echo htmlspecialchars($item['title']); ?></title>
	+ <title><?php echo html::specialchars($item['title']); ?></title>
	<link><?php echo $item['link']; ?></link>
	- <description><![CDATA[<?php echo htmlspecialchars($item['description'], ENT_COMPAT, 'UTF-8'); ?>]]></description>
	+ <description><![CDATA[<?php echo html::specialchars($item['description']); ?>]]></description>
	<pubDate><?php echo gmdate("D, d M Y H:i:s T", strtotime($item['date'])); ?></pubDate>
	<guid><?php if(isset($item['guid'])) echo $item['guid']; else echo $item['link'] ?></guid>

	@@ -24,7 +24,7 @@
	<?php endif; ?>

	<?php foreach ($item['categories'] as $category): ?>
	- <category><?php echo htmlspecialchars($category); ?></category>
	+ <category><?php echo html::specialchars($category); ?></category>
	<?php endforeach; ?>

	<?php // Event::feed_rss_item - Add to the feed item ?>
	diff --git a/themes/default/views/header.php b/themes/default/views/header.php
	index 53e19ad..2e9c472 100644
	--- a/themes/default/views/header.php
	+++ b/themes/default/views/header.php
	@@ -89,7 +89,7 @@
	</ul>

	<?php if ($allow_feed == 1) { ?>
	- <div class="feedicon"><a href="<?php echo url::site(); ?>feed/"><img alt="<?php echo htmlentities(Kohana::lang('ui_main.rss'), ENT_QUOTES); ?>" src="<?php echo url::file_loc('img'); ?>media/img/icon-feed.png" style="vertical-align: middle;" border="0" /></a></div>
	+ <div class="feedicon"><a href="<?php echo url::site(); ?>feed/"><img alt="<?php echo html::escape(Kohana::lang('ui_main.rss')); ?>" src="<?php echo url::file_loc('img'); ?>media/img/icon-feed.png" style="vertical-align: middle;" border="0" /></a></div>
	<?php } ?>

	</div>
	diff --git a/themes/default/views/main/layout.php b/themes/default/views/main/layout.php
	index bbc2a58..8147328 100755
	--- a/themes/default/views/main/layout.php
	+++ b/themes/default/views/main/layout.php
	@@ -49,12 +49,12 @@
	<?php
	foreach ($categories as $category => $category_info)
	{
	- $category_title = htmlentities($category_info[0], ENT_QUOTES, "UTF-8");
	+ $category_title = html::escape($category_info[0]);
	$category_color = $category_info[1];
	$category_image = ($category_info[2] != NULL)
	? url::convert_uploaded_to_abs($category_info[2])
	: NULL;
	- $category_description = htmlentities(Category_Lang_Model::category_description($category), ENT_QUOTES, "UTF-8");
	+ $category_description = html::escape(Category_Lang_Model::category_description($category));

	$color_css = 'class="category-icon swatch" style="background-color:#'.$category_color.'"';
	if ($category_info[2] != NULL)
	@@ -78,12 +78,12 @@
	echo '<ul>';
	foreach ($category_info[3] as $child => $child_info)
	{
	- $child_title = htmlentities($child_info[0], ENT_QUOTES, "UTF-8");
	+ $child_title = html::escape($child_info[0]);
	$child_color = $child_info[1];
	$child_image = ($child_info[2] != NULL)
	? url::convert_uploaded_to_abs($child_info[2])
	: NULL;
	- $child_description = htmlentities(Category_Lang_Model::category_description($child), ENT_QUOTES, "UTF-8");
	+ $child_description = html::escape(Category_Lang_Model::category_description($child));

	$color_css = 'class="category-icon swatch" style="background-color:#'.$child_color.'"';
	if ($child_info[2] != NULL)
	diff --git a/themes/default/views/page.php b/themes/default/views/page.php
	index f474e0d..c78d642 100644
	--- a/themes/default/views/page.php
	+++ b/themes/default/views/page.php
	@@ -1,9 +1,9 @@
	<div id="content">
	<div class="content-bg">
	<div class="big-block">
	- <h1><?php echo $page_title ?></h1>
	+ <h1><?php echo html::escape($page_title) ?></h1>
	<div class="page_text"><?php
	- echo htmlspecialchars_decode($page_description);
	+ echo $page_description;
	Event::run('ushahidi_action.page_extra', $page_id);
	?></div>
	</div>
	diff --git a/themes/default/views/profile/user.php b/themes/default/views/profile/user.php
	index adeadba..b1df0ce 100644
	--- a/themes/default/views/profile/user.php
	+++ b/themes/default/views/profile/user.php
	@@ -24,7 +24,7 @@
	<h4><?php echo Kohana::lang('ui_main.reports_by_this_user');?></h4>
	<?php foreach($reports as $report) { ?>
	<div class="rb_report">
	- <h5><a href="<?php echo url::site(); ?>reports/view/<?php echo $report->id; ?>"><?php echo strip_tags($report->incident_title); ?></a></h5>
	+ <h5><a href="<?php echo url::site(); ?>reports/view/<?php echo $report->id; ?>"><?php echo html::escape($report->incident_title); ?></a></h5>
	<p class="r_date r-3 bottom-cap"><?php echo date('H:i M d, Y', strtotime($report->incident_date)); ?></p>
	<p class="r_location"><?php echo html::specialchars($report->location->location_name); ?></p>
	</div>
	diff --git a/themes/default/views/reports/comments.php b/themes/default/views/reports/comments.php
	index 07980b6..5d9a0ca 100644
	--- a/themes/default/views/reports/comments.php
	+++ b/themes/default/views/reports/comments.php
	@@ -8,10 +8,10 @@
	<div class="report-comment-box">

	<div>
	- <strong><?php echo html::specialchars($comment->comment_author); ?></strong> (<?php echo date('M j Y', strtotime($comment->comment_date)); ?>)
	+ <strong><?php echo html::strip_tags($comment->comment_author); ?></strong> (<?php echo date('M j Y', strtotime($comment->comment_date)); ?>)
	</div>

	- <div><?php echo html::specialchars($comment->comment_description); ?></div>
	+ <div><?php echo html::escape($comment->comment_description); ?></div>

	</div>
	<?php endforeach; ?>
	diff --git a/themes/default/views/reports/detail.php b/themes/default/views/reports/detail.php
	index 0145e07..462ebe6 100755
	--- a/themes/default/views/reports/detail.php
	+++ b/themes/default/views/reports/detail.php
	@@ -14,7 +14,7 @@
	?>

	<h1 class="report-title"><?php
	- echo htmlentities($incident_title, ENT_QUOTES, "UTF-8");
	+ echo html::escape($incident_title);

	// If Admin is Logged In - Allow For Edit Link
	if ($logged_in)
	@@ -78,7 +78,7 @@
	echo '<div id="report-images">';
	foreach ($incident_photos as $photo)
	{
	- echo '<a class="photothumb" rel="lightbox-group1" href="'.$photo['large'].'"><img alt="'.htmlentities($incident_title, ENT_QUOTES, "UTF-8").'" src="'.$photo['thumb'].'"/></a> ';
	+ echo '<a class="photothumb" rel="lightbox-group1" href="'.$photo['large'].'"><img alt="'.html::escape($incident_title).'" src="'.$photo['thumb'].'"/></a> ';
	};
	echo '</div>';
	}
	@@ -103,7 +103,7 @@
	<!-- start report description -->
	<div class="report-description-text">
	<h5><?php echo Kohana::lang('ui_main.reports_description');?></h5>
	- <?php echo nl2br($incident_description); ?>
	+ <?php echo html::clean(nl2br($incident_description)); ?>
	<br/>


	diff --git a/themes/default/views/reports/list.php b/themes/default/views/reports/list.php
	index abdd731..2ee0f25 100644
	--- a/themes/default/views/reports/list.php
	+++ b/themes/default/views/reports/list.php
	@@ -44,14 +44,14 @@
	foreach ($incidents as $incident)
	{
	$incident_id = $incident->incident_id;
	- $incident_title = strip_tags($incident->incident_title);
	- $incident_description = strip_tags($incident->incident_description);
	+ $incident_title = html::strip_tags($incident->incident_title);
	+ $incident_description = html::strip_tags($incident->incident_description);
	$incident_url = Incident_Model::get_url($incident_id);
	//$incident_category = $incident->incident_category;
	// Trim to 150 characters without cutting words
	// XXX: Perhaps delcare 150 as constant

	- $incident_description = text::limit_chars(strip_tags($incident_description), 140, "...", true);
	+ $incident_description = text::limit_chars(html::strip_tags($incident_description), 140, "...", true);
	$incident_date = date('H:i M d, Y', strtotime($incident->incident_date));
	//$incident_time = date('H:i', strtotime($incident->incident_date));
	$location_id = $incident->location_id;
	@@ -88,7 +88,7 @@
	<div id="incident_<?php echo $incident_id ?>" class="rb_report <?php echo $incident_verified_class; ?>">
	<div class="r_media">
	<p class="r_photo"> <a href="<?php echo $incident_url; ?>">
	- <img alt="<?php echo htmlentities($incident_title, ENT_QUOTES, "UTF-8"); ?>" src="<?php echo $incident_thumb; ?>" /> </a>
	+ <img alt="<?php echo html::escape($incident_title); ?>" src="<?php echo $incident_thumb; ?>" /> </a>
	</p>

	<!-- Only show this if the report has a video -->
	@@ -126,7 +126,7 @@

	<div class="r_details">
	<h3><a class="r_title" href="<?php echo $incident_url; ?>">
	- <?php echo htmlentities($incident_title, ENT_QUOTES, "UTF-8"); ?>
	+ <?php echo html::escape($incident_title); ?>
	</a>
	<a href="<?php echo "$incident_url#discussion"; ?>" class="r_comments">
	<?php echo $comment_count; ?></a>
	diff --git a/themes/default/views/reports/submit.php b/themes/default/views/reports/submit.php
	index be16ec8..3656923 100755
	--- a/themes/default/views/reports/submit.php
	+++ b/themes/default/views/reports/submit.php
	@@ -50,6 +50,7 @@
	</div>
	<div class="report_row">
	<h4><?php echo Kohana::lang('ui_main.reports_description'); ?> <span class="required">*</span> </h4>
	+ <span class="allowed-html"><?php echo html::allowed_html(); ?></span>
	<?php print form::textarea('incident_description', $form['incident_description'], ' rows="10" class="textarea long" ') ?>
	</div>
	<div class="report_row" id="datetime_default">