# This patch file was generated by NetBeans IDE
# This patch can be applied using context Tools: Apply Diff Patch action on respective folder.
# It uses platform neutral UTF-8 encoding.
# Above lines and this line are ignored by the patching process.
Index: drupal/includes/theme.inc
--- drupal/includes/theme.inc Base (1.574)
+++ drupal/includes/theme.inc Locally Modified (Based On 1.574)
@@ -2332,12 +2332,12 @@
 
   // Construct page title.
   if (drupal_get_title()) {
-    $head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal'));
+    $head_title = array(strip_tags(drupal_get_title()), check_plain(variable_get('site_name', 'Drupal')));
   }
   else {
-    $head_title = array(variable_get('site_name', 'Drupal'));
+    $head_title = array(check_plain(variable_get('site_name', 'Drupal')));
     if (variable_get('site_slogan', '')) {
-      $head_title[] = variable_get('site_slogan', '');
+      $head_title[] = filter_xss_admin(variable_get('site_slogan', ''));
     }
   }
   $variables['head_title'] = implode(' | ', $head_title);
Index: drupal/modules/system/system.test
--- drupal/modules/system/system.test Base (1.110)
+++ drupal/modules/system/system.test Locally Modified (Based On 1.110)
@@ -868,7 +868,7 @@
   public static function getInfo() {
     return array(
       'name' => 'HTML in page titles',
-      'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title().',
+      'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title() and checks the correct escaping of site name and slogan.',
       'group' => 'System'
     );
   }
@@ -879,7 +879,7 @@
   function setUp() {
     parent::setUp();
 
-    $this->content_user = $this->drupalCreateUser(array('create page content', 'access content'));
+    $this->content_user = $this->drupalCreateUser(array('create page content', 'access content', 'administer themes', 'administer site configuration'));
     $this->drupalLogin($this->content_user);
     $this->saved_title = drupal_get_title();
   }
@@ -910,8 +910,8 @@
     // Generate node content.
     $langcode = LANGUAGE_NONE;
     $edit = array(
-     "title" => '!SimpleTest! ' . $title . $this->randomName(20),
-     "body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200),
+      "title" => '!SimpleTest! ' . $title . $this->randomName(20),
+      "body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200),
     );
     // Create the node with HTML in the title.
     $this->drupalPost('node/add/page', $edit, t('Save'));
@@ -921,6 +921,46 @@
     $this->drupalGet("node/" . $node->nid);
     $this->assertText(check_plain($edit["title"]), 'Check to make sure tags in the node title are converted.');
   }
+  /**
+   * Test if the title of the site is XSS proof.
+   */
+  function testTitleXSS() {
+    // Set some title with JavaScript and HTML chars to escape.
+    $title = '</title><script type="text/javascript">alert("Title XSS!");</script> & < > " \' ';
+    $title_filtered = check_plain($title);
+
+    $slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
+    $slogan_filtered = filter_xss_admin($slogan);
+
+    // Activate needed appearance settings.
+    $edit = array(
+      'toggle_name'           => TRUE,
+      'toggle_slogan'         => TRUE,
+      'toggle_main_menu'      => TRUE,
+      'toggle_secondary_menu' => TRUE,
+    );
+    $this->drupalPost('admin/appearance/settings', $edit, t('Save configuration'));
+
+    // Set title and slogan.
+    $edit = array(
+      'site_name'    => $title,
+      'site_slogan'  => $slogan,
+    );
+    $this->drupalPost('admin/config/system/site-information', $edit, t('Save configuration'));
+
+    // Load frontpage.
+    $this->drupalGet('');
+
+    // Test the title.
+    $this->assertNoRaw($title, 'Check for the unfiltered version of the title.');
+    // Adding </title> so we do not test the escaped version from drupal_set_title().
+    $this->assertRaw($title_filtered . '</title>', 'Check for the filtered version of the title.');
+
+    // Test the slogan.
+    // Currently Garland is not displaying the slogan so this test is escaped.
+    $this->assertNoRaw($slogan, 'Check for the unfiltered version of the slogan.');
+    $this->assertRaw($slogan_filtered, 'Check for the filtered version of the slogan.');
+  }
 }
 
 /**
Index: drupal/themes/garland/maintenance-page.tpl.php
--- drupal/themes/garland/maintenance-page.tpl.php Base (1.14)
+++ drupal/themes/garland/maintenance-page.tpl.php Locally Modified (Based On 1.14)
@@ -38,10 +38,10 @@
           // Prepare header
           $site_fields = array();
           if ($site_name) {
-            $site_fields[] = check_plain($site_name);
+            $site_fields[] = $site_name;
           }
           if ($site_slogan) {
-            $site_fields[] = check_plain($site_slogan);
+            $site_fields[] = $site_slogan;
           }
           $site_title = implode(' ', $site_fields);
           if ($site_fields) {
Index: drupal/themes/garland/template.php
--- drupal/themes/garland/template.php Base (1.37)
+++ drupal/themes/garland/template.php Locally Modified (Based On 1.37)
@@ -93,10 +93,10 @@
   // Prepare header.
   $site_fields = array();
   if (!empty($vars['site_name'])) {
-    $site_fields[] = check_plain($vars['site_name']);
+    $site_fields[] = $vars['site_name'];
   }
   if (!empty($vars['site_slogan'])) {
-    $site_fields[] = check_plain($vars['site_slogan']);
+    $site_fields[] = $vars['site_slogan'];
   }
   $vars['site_title'] = implode(' ', $site_fields);
   if (!empty($site_fields)) {
@@ -105,8 +105,8 @@
   $vars['site_html'] = implode(' ', $site_fields);
 
   // Set a variable for the site name title and logo alt attributes text.
-  $slogan_text = filter_xss_admin(variable_get('site_slogan', ''));
-  $site_name_text = filter_xss_admin(variable_get('site_name', 'Drupal'));
+  $slogan_text = $vars['site_slogan'];
+  $site_name_text = $vars['site_name'];
   $vars['site_name_and_slogan'] = $site_name_text . ' ' . $slogan_text;
 }