diff --git a/includes/theme.inc b/includes/theme.inc
index ebee7255a6ea5406007e1aac0426d116c87d68b6..f8ebbffb79fca2a484ad11ed586ac52a2e51fbd6 100644
--- a/includes/theme.inc
+++ b/includes/theme.inc
@@ -2259,12 +2259,12 @@ function template_preprocess_html(&$variables) {
// Construct page title.
if (drupal_get_title()) {
- $head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal'));
+ $head_title = array(strip_tags(drupal_get_title()), check_plain(variable_get('site_name', 'Drupal')));
}
else {
- $head_title = array(variable_get('site_name', 'Drupal'));
+ $head_title = array(check_plain(variable_get('site_name', 'Drupal')));
if (variable_get('site_slogan', '')) {
- $head_title[] = variable_get('site_slogan', '');
+ $head_title[] = filter_xss_admin(variable_get('site_slogan', ''));
}
}
$variables['head_title'] = implode(' | ', $head_title);
diff --git a/modules/system/system.test b/modules/system/system.test
index 30ba087efe1abfe3a1f44b51053e3d9879eb9541..480d322e4577a0b1b93dae8937093144885f19cf 100644
--- a/modules/system/system.test
+++ b/modules/system/system.test
@@ -869,7 +869,7 @@ class PageTitleFiltering extends DrupalWebTestCase {
public static function getInfo() {
return array(
'name' => 'HTML in page titles',
- 'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title().',
+ 'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title() and checks the correct escaping of site name and slogan.',
'group' => 'System'
);
}
@@ -880,7 +880,7 @@ class PageTitleFiltering extends DrupalWebTestCase {
function setUp() {
parent::setUp();
- $this->content_user = $this->drupalCreateUser(array('create page content', 'access content'));
+ $this->content_user = $this->drupalCreateUser(array('create page content', 'access content', 'administer themes', 'administer site configuration'));
$this->drupalLogin($this->content_user);
$this->saved_title = drupal_get_title();
}
@@ -911,8 +911,8 @@ class PageTitleFiltering extends DrupalWebTestCase {
// Generate node content.
$langcode = LANGUAGE_NONE;
$edit = array(
- "title" => '!SimpleTest! ' . $title . $this->randomName(20),
- "body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200),
+ "title" => '!SimpleTest! ' . $title . $this->randomName(20),
+ "body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200),
);
// Create the node with HTML in the title.
$this->drupalPost('node/add/page', $edit, t('Save'));
@@ -922,6 +922,46 @@ class PageTitleFiltering extends DrupalWebTestCase {
$this->drupalGet("node/" . $node->nid);
$this->assertText(check_plain($edit["title"]), 'Check to make sure tags in the node title are converted.');
}
+ /**
+ * Test if the title of the site is XSS proof.
+ */
+ function testTitleXSS() {
+ // Set some title with JavaScript and HTML chars to escape.
+ $title = '</title><script type="text/javascript">alert("Title XSS!");</script> & < > " \' ';
+ $title_filtered = check_plain($title);
+
+ $slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
+ $slogan_filtered = filter_xss_admin($slogan);
+
+ // Activate needed appearance settings.
+ $edit = array(
+ 'toggle_name' => TRUE,
+ 'toggle_slogan' => TRUE,
+ 'toggle_main_menu' => TRUE,
+ 'toggle_secondary_menu' => TRUE,
+ );
+ $this->drupalPost('admin/appearance/settings', $edit, t('Save configuration'));
+
+ // Set title and slogan.
+ $edit = array(
+ 'site_name' => $title,
+ 'site_slogan' => $slogan,
+ );
+ $this->drupalPost('admin/config/system/site-information', $edit, t('Save configuration'));
+
+ // Load frontpage.
+ $this->drupalGet('');
+
+ // Test the title.
+ $this->assertNoRaw($title, 'Check for the unfiltered version of the title.');
+ // Adding </title> so we do not test the escaped version from drupal_set_title().
+ $this->assertRaw($title_filtered . '</title>', 'Check for the filtered version of the title.');
+
+ // Test the slogan.
+ // Currently Garland is not displaying the slogan so this test is escaped.
+ $this->assertNoRaw($slogan, 'Check for the unfiltered version of the slogan.');
+ $this->assertRaw($slogan_filtered, 'Check for the filtered version of the slogan.');
+ }
}
/**
diff --git a/themes/garland/maintenance-page.tpl.php b/themes/garland/maintenance-page.tpl.php
index 0a4e077ce0b34303aa9f90c97a92d347b59b7443..97120d5b09718d8d79a92919550c0ea170003ecd 100644
--- a/themes/garland/maintenance-page.tpl.php
+++ b/themes/garland/maintenance-page.tpl.php
@@ -35,10 +35,10 @@
// Prepare header
$site_fields = array();
if ($site_name) {
- $site_fields[] = check_plain($site_name);
+ $site_fields[] = $site_name;
}
if ($site_slogan) {
- $site_fields[] = check_plain($site_slogan);
+ $site_fields[] = $site_slogan;
}
$site_title = implode(' ', $site_fields);
if ($site_fields) {
diff --git a/themes/garland/template.php b/themes/garland/template.php
index f25b13cc243431a5122c2a2c0f2076c50a44dafb..975bc55f50aa45207dd0086cfd2162167fee9d6e 100644
--- a/themes/garland/template.php
+++ b/themes/garland/template.php
@@ -96,10 +96,10 @@ function garland_preprocess_page(&$vars) {
// Prepare header.
$site_fields = array();
if (!empty($vars['site_name'])) {
- $site_fields[] = check_plain($vars['site_name']);
+ $site_fields[] = $vars['site_name'];
}
if (!empty($vars['site_slogan'])) {
- $site_fields[] = check_plain($vars['site_slogan']);
+ $site_fields[] = $vars['site_slogan'];
}
$vars['site_title'] = implode(' ', $site_fields);
if (!empty($site_fields)) {
@@ -108,8 +108,8 @@ function garland_preprocess_page(&$vars) {
$vars['site_html'] = implode(' ', $site_fields);
// Set a variable for the site name title and logo alt attributes text.
- $slogan_text = filter_xss_admin(variable_get('site_slogan', ''));
- $site_name_text = filter_xss_admin(variable_get('site_name', 'Drupal'));
+ $slogan_text = $vars['site_slogan'];
+ $site_name_text = $vars['site_name'];
$vars['site_name_and_slogan'] = $site_name_text . ' ' . $slogan_text;
}