- Patch #461938 by Kars-T, Garrett Albright, JamesAn, grendzy: fixed inconsistent use of filter_xss_admin() on () and ().
Dries Buytaert
parent
d33bad9fa1
commit
e5e3d279e2
|
|
@ -2259,12 +2259,12 @@ function template_preprocess_html(&$variables) {
|
|||
|
||||
// Construct page title.
|
||||
if (drupal_get_title()) {
|
||||
$head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal'));
|
||||
$head_title = array(strip_tags(drupal_get_title()), check_plain(variable_get('site_name', 'Drupal')));
|
||||
}
|
||||
else {
|
||||
$head_title = array(variable_get('site_name', 'Drupal'));
|
||||
$head_title = array(check_plain(variable_get('site_name', 'Drupal')));
|
||||
if (variable_get('site_slogan', '')) {
|
||||
$head_title[] = variable_get('site_slogan', '');
|
||||
$head_title[] = filter_xss_admin(variable_get('site_slogan', ''));
|
||||
}
|
||||
}
|
||||
$variables['head_title'] = implode(' | ', $head_title);
|
||||
|
|
|
|||
|
|
@ -869,7 +869,7 @@ class PageTitleFiltering extends DrupalWebTestCase {
|
|||
public static function getInfo() {
|
||||
return array(
|
||||
'name' => 'HTML in page titles',
|
||||
'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title().',
|
||||
'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title() and checks the correct escaping of site name and slogan.',
|
||||
'group' => 'System'
|
||||
);
|
||||
}
|
||||
|
|
@ -880,7 +880,7 @@ class PageTitleFiltering extends DrupalWebTestCase {
|
|||
function setUp() {
|
||||
parent::setUp();
|
||||
|
||||
$this->content_user = $this->drupalCreateUser(array('create page content', 'access content'));
|
||||
$this->content_user = $this->drupalCreateUser(array('create page content', 'access content', 'administer themes', 'administer site configuration'));
|
||||
$this->drupalLogin($this->content_user);
|
||||
$this->saved_title = drupal_get_title();
|
||||
}
|
||||
|
|
@ -911,8 +911,8 @@ class PageTitleFiltering extends DrupalWebTestCase {
|
|||
// Generate node content.
|
||||
$langcode = LANGUAGE_NONE;
|
||||
$edit = array(
|
||||
"title" => '!SimpleTest! ' . $title . $this->randomName(20),
|
||||
"body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200),
|
||||
"title" => '!SimpleTest! ' . $title . $this->randomName(20),
|
||||
"body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200),
|
||||
);
|
||||
// Create the node with HTML in the title.
|
||||
$this->drupalPost('node/add/page', $edit, t('Save'));
|
||||
|
|
@ -922,6 +922,46 @@ class PageTitleFiltering extends DrupalWebTestCase {
|
|||
$this->drupalGet("node/" . $node->nid);
|
||||
$this->assertText(check_plain($edit["title"]), 'Check to make sure tags in the node title are converted.');
|
||||
}
|
||||
/**
|
||||
* Test if the title of the site is XSS proof.
|
||||
*/
|
||||
function testTitleXSS() {
|
||||
// Set some title with JavaScript and HTML chars to escape.
|
||||
$title = '</title><script type="text/javascript">alert("Title XSS!");</script> & < > " \' ';
|
||||
$title_filtered = check_plain($title);
|
||||
|
||||
$slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
|
||||
$slogan_filtered = filter_xss_admin($slogan);
|
||||
|
||||
// Activate needed appearance settings.
|
||||
$edit = array(
|
||||
'toggle_name' => TRUE,
|
||||
'toggle_slogan' => TRUE,
|
||||
'toggle_main_menu' => TRUE,
|
||||
'toggle_secondary_menu' => TRUE,
|
||||
);
|
||||
$this->drupalPost('admin/appearance/settings', $edit, t('Save configuration'));
|
||||
|
||||
// Set title and slogan.
|
||||
$edit = array(
|
||||
'site_name' => $title,
|
||||
'site_slogan' => $slogan,
|
||||
);
|
||||
$this->drupalPost('admin/config/system/site-information', $edit, t('Save configuration'));
|
||||
|
||||
// Load frontpage.
|
||||
$this->drupalGet('');
|
||||
|
||||
// Test the title.
|
||||
$this->assertNoRaw($title, 'Check for the unfiltered version of the title.');
|
||||
// Adding </title> so we do not test the escaped version from drupal_set_title().
|
||||
$this->assertRaw($title_filtered . '</title>', 'Check for the filtered version of the title.');
|
||||
|
||||
// Test the slogan.
|
||||
// Currently Garland is not displaying the slogan so this test is escaped.
|
||||
$this->assertNoRaw($slogan, 'Check for the unfiltered version of the slogan.');
|
||||
$this->assertRaw($slogan_filtered, 'Check for the filtered version of the slogan.');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -35,10 +35,10 @@
|
|||
// Prepare header
|
||||
$site_fields = array();
|
||||
if ($site_name) {
|
||||
$site_fields[] = check_plain($site_name);
|
||||
$site_fields[] = $site_name;
|
||||
}
|
||||
if ($site_slogan) {
|
||||
$site_fields[] = check_plain($site_slogan);
|
||||
$site_fields[] = $site_slogan;
|
||||
}
|
||||
$site_title = implode(' ', $site_fields);
|
||||
if ($site_fields) {
|
||||
|
|
|
|||
|
|
@ -96,10 +96,10 @@ function garland_preprocess_page(&$vars) {
|
|||
// Prepare header.
|
||||
$site_fields = array();
|
||||
if (!empty($vars['site_name'])) {
|
||||
$site_fields[] = check_plain($vars['site_name']);
|
||||
$site_fields[] = $vars['site_name'];
|
||||
}
|
||||
if (!empty($vars['site_slogan'])) {
|
||||
$site_fields[] = check_plain($vars['site_slogan']);
|
||||
$site_fields[] = $vars['site_slogan'];
|
||||
}
|
||||
$vars['site_title'] = implode(' ', $site_fields);
|
||||
if (!empty($site_fields)) {
|
||||
|
|
@ -108,8 +108,8 @@ function garland_preprocess_page(&$vars) {
|
|||
$vars['site_html'] = implode(' ', $site_fields);
|
||||
|
||||
// Set a variable for the site name title and logo alt attributes text.
|
||||
$slogan_text = filter_xss_admin(variable_get('site_slogan', ''));
|
||||
$site_name_text = filter_xss_admin(variable_get('site_name', 'Drupal'));
|
||||
$slogan_text = $vars['site_slogan'];
|
||||
$site_name_text = $vars['site_name'];
|
||||
$vars['site_name_and_slogan'] = $site_name_text . ' ' . $slogan_text;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue