- Patch #461938 by Kars-T, Garrett Albright, JamesAn, grendzy: fixed...

- Patch #461938 by Kars-T, Garrett Albright, JamesAn, grendzy: fixed inconsistent use of filter_xss_admin() on () and ().

includes/theme.inc

@@ -2259,12 +2259,12 @@ function template_preprocess_html(&$variables) {
 
   // Construct page title.
   if (drupal_get_title()) {
-    $head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal'));
+    $head_title = array(strip_tags(drupal_get_title()), check_plain(variable_get('site_name', 'Drupal')));
   }
   else {
-    $head_title = array(variable_get('site_name', 'Drupal'));
+    $head_title = array(check_plain(variable_get('site_name', 'Drupal')));
     if (variable_get('site_slogan', '')) {
-      $head_title[] = variable_get('site_slogan', '');
+      $head_title[] = filter_xss_admin(variable_get('site_slogan', ''));
     }
   }
   $variables['head_title'] = implode(' | ', $head_title);

modules/system/system.test

@@ -869,7 +869,7 @@ class PageTitleFiltering extends DrupalWebTestCase {
   public static function getInfo() {
     return array(
       'name' => 'HTML in page titles',
-      'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title().',
+      'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title() and checks the correct escaping of site name and slogan.',
       'group' => 'System'
     );
   }
@@ -880,7 +880,7 @@ class PageTitleFiltering extends DrupalWebTestCase {
   function setUp() {
     parent::setUp();
 
-    $this->content_user = $this->drupalCreateUser(array('create page content', 'access content'));
+    $this->content_user = $this->drupalCreateUser(array('create page content', 'access content', 'administer themes', 'administer site configuration'));
     $this->drupalLogin($this->content_user);
     $this->saved_title = drupal_get_title();
   }
@@ -911,8 +911,8 @@ class PageTitleFiltering extends DrupalWebTestCase {
     // Generate node content.
     $langcode = LANGUAGE_NONE;
     $edit = array(
-     "title" => '!SimpleTest! ' . $title . $this->randomName(20),
-     "body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200),
+      "title" => '!SimpleTest! ' . $title . $this->randomName(20),
+      "body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200),
     );
     // Create the node with HTML in the title.
     $this->drupalPost('node/add/page', $edit, t('Save'));
@@ -922,6 +922,46 @@ class PageTitleFiltering extends DrupalWebTestCase {
     $this->drupalGet("node/" . $node->nid);
     $this->assertText(check_plain($edit["title"]), 'Check to make sure tags in the node title are converted.');
   }
+  /**
+   * Test if the title of the site is XSS proof.
+   */
+  function testTitleXSS() {
+    // Set some title with JavaScript and HTML chars to escape.
+    $title = '</title><script type="text/javascript">alert("Title XSS!");</script> & < > " \' ';
+    $title_filtered = check_plain($title);
+
+    $slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
+    $slogan_filtered = filter_xss_admin($slogan);
+
+    // Activate needed appearance settings.
+    $edit = array(
+      'toggle_name'           => TRUE,
+      'toggle_slogan'         => TRUE,
+      'toggle_main_menu'      => TRUE,
+      'toggle_secondary_menu' => TRUE,
+    );
+    $this->drupalPost('admin/appearance/settings', $edit, t('Save configuration'));
+
+    // Set title and slogan.
+    $edit = array(
+      'site_name'    => $title,
+      'site_slogan'  => $slogan,
+    );
+    $this->drupalPost('admin/config/system/site-information', $edit, t('Save configuration'));
+
+    // Load frontpage.
+    $this->drupalGet('');
+
+    // Test the title.
+    $this->assertNoRaw($title, 'Check for the unfiltered version of the title.');
+    // Adding </title> so we do not test the escaped version from drupal_set_title().
+    $this->assertRaw($title_filtered . '</title>', 'Check for the filtered version of the title.');
+
+    // Test the slogan.
+    // Currently Garland is not displaying the slogan so this test is escaped.
+    $this->assertNoRaw($slogan, 'Check for the unfiltered version of the slogan.');
+    $this->assertRaw($slogan_filtered, 'Check for the filtered version of the slogan.');
+  }
 }
 
 /**

themes/garland/maintenance-page.tpl.php

@@ -35,10 +35,10 @@
           // Prepare header
           $site_fields = array();
           if ($site_name) {
-            $site_fields[] = check_plain($site_name);
+            $site_fields[] = $site_name;
           }
           if ($site_slogan) {
-            $site_fields[] = check_plain($site_slogan);
+            $site_fields[] = $site_slogan;
           }
           $site_title = implode(' ', $site_fields);
           if ($site_fields) {

themes/garland/template.php

@@ -96,10 +96,10 @@ function garland_preprocess_page(&$vars) {
   // Prepare header.
   $site_fields = array();
   if (!empty($vars['site_name'])) {
-    $site_fields[] = check_plain($vars['site_name']);
+    $site_fields[] = $vars['site_name'];
   }
   if (!empty($vars['site_slogan'])) {
-    $site_fields[] = check_plain($vars['site_slogan']);
+    $site_fields[] = $vars['site_slogan'];
   }
   $vars['site_title'] = implode(' ', $site_fields);
   if (!empty($site_fields)) {
@@ -108,8 +108,8 @@ function garland_preprocess_page(&$vars) {
   $vars['site_html'] = implode(' ', $site_fields);
 
   // Set a variable for the site name title and logo alt attributes text.
-  $slogan_text = filter_xss_admin(variable_get('site_slogan', ''));
-  $site_name_text = filter_xss_admin(variable_get('site_name', 'Drupal'));
+  $slogan_text = $vars['site_slogan'];
+  $site_name_text = $vars['site_name'];
   $vars['site_name_and_slogan'] = $site_name_text . ' ' . $slogan_text;
 }