Index: includes/bootstrap.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v
retrieving revision 1.206.2.11
diff -u -p -r1.206.2.11 bootstrap.inc
--- includes/bootstrap.inc	25 Feb 2009 13:49:54 -0000	1.206.2.11
+++ includes/bootstrap.inc	29 Apr 2009 23:02:30 -0000
@@ -791,6 +791,8 @@ function request_uri() {
       $uri = $_SERVER['SCRIPT_NAME'];
     }
   }
+  // Prevent multiple slashes to avoid cross site requests via the FAPI.
+  $uri = '/'. ltrim($uri, '/');
 
   return $uri;
 }
Index: includes/common.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/common.inc,v
retrieving revision 1.756.2.48
diff -u -p -r1.756.2.48 common.inc
--- includes/common.inc	25 Feb 2009 23:16:45 -0000	1.756.2.48
+++ includes/common.inc	29 Apr 2009 23:02:31 -0000
@@ -152,6 +152,15 @@ function drupal_get_headers() {
 }
 
 /**
+ * Make any final alterations to the rendered xhtml.
+ */
+function drupal_final_markup($content) {
+  // Make sure that the charset is always specified as the first element of the
+  // head region to prevent encoding-based attacks.
+  return preg_replace('/<head[^>]*>/i', "\$0\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />", $content, 1);
+}
+
+/**
  * Add a feed URL for the current page.
  *
  * @param $url
Index: includes/theme.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/theme.inc,v
retrieving revision 1.415.2.20
diff -u -p -r1.415.2.20 theme.inc
--- includes/theme.inc	29 Apr 2009 17:22:52 -0000	1.415.2.20
+++ includes/theme.inc	29 Apr 2009 23:02:31 -0000
@@ -687,6 +687,10 @@ function theme() {
   }
   // restore path_to_theme()
   $theme_path = $temp;
+  // Add final markup to the full page.
+  if ($hook == 'page') {
+    $output = drupal_final_markup($output);
+  }
   return $output;
 }
 
Index: modules/system/maintenance-page.tpl.php
===================================================================
RCS file: /cvs/drupal/drupal/modules/system/maintenance-page.tpl.php,v
retrieving revision 1.2
diff -u -p -r1.2 maintenance-page.tpl.php
--- modules/system/maintenance-page.tpl.php	24 Jan 2008 09:42:51 -0000	1.2
+++ modules/system/maintenance-page.tpl.php	29 Apr 2009 23:02:31 -0000
@@ -19,8 +19,8 @@
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
 
 <head>
-  <title><?php print $head_title; ?></title>
   <?php print $head; ?>
+  <title><?php print $head_title; ?></title>
   <?php print $styles; ?>
   <?php print $scripts; ?>
   <script type="text/javascript"><?php /* Needed to avoid Flash of Unstyled Content in IE */ ?> </script>
Index: modules/system/page.tpl.php
===================================================================
RCS file: /cvs/drupal/drupal/modules/system/page.tpl.php,v
retrieving revision 1.11
diff -u -p -r1.11 page.tpl.php
--- modules/system/page.tpl.php	24 Jan 2008 09:42:51 -0000	1.11
+++ modules/system/page.tpl.php	29 Apr 2009 23:02:31 -0000
@@ -80,8 +80,8 @@
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
 
 <head>
-  <title><?php print $head_title; ?></title>
   <?php print $head; ?>
+  <title><?php print $head_title; ?></title>
   <?php print $styles; ?>
   <?php print $scripts; ?>
   <script type="text/javascript"><?php /* Needed to avoid Flash of Unstyled Content in IE */ ?> </script>
Index: themes/bluemarine/page.tpl.php
===================================================================
RCS file: /cvs/drupal/drupal/themes/bluemarine/Attic/page.tpl.php,v
retrieving revision 1.28
diff -u -p -r1.28 page.tpl.php
--- themes/bluemarine/page.tpl.php	24 Jan 2008 09:42:52 -0000	1.28
+++ themes/bluemarine/page.tpl.php	29 Apr 2009 23:02:31 -0000
@@ -4,8 +4,8 @@
 <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language->language ?>" xml:lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
 
 <head>
-  <title><?php print $head_title ?></title>
   <?php print $head ?>
+  <title><?php print $head_title ?></title>
   <?php print $styles ?>
   <?php print $scripts ?>
   <script type="text/javascript"><?php /* Needed to avoid Flash of Unstyle Content in IE */ ?> </script>
Index: themes/chameleon/chameleon.theme
===================================================================
RCS file: /cvs/drupal/drupal/themes/chameleon/Attic/chameleon.theme,v
retrieving revision 1.76
diff -u -p -r1.76 chameleon.theme
--- themes/chameleon/chameleon.theme	24 Jan 2008 09:42:53 -0000	1.76
+++ themes/chameleon/chameleon.theme	29 Apr 2009 23:02:31 -0000
@@ -30,8 +30,8 @@ function chameleon_page($content, $show_
   $output  = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n";
   $output .= "<html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"$language\" xml:lang=\"$language\" dir=\"$direction\">\n";
   $output .= "<head>\n";
-  $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
   $output .= drupal_get_html_head();
+  $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
   $output .= drupal_get_css();
   $output .= drupal_get_js();
   $output .= "</head>";
Index: themes/garland/maintenance-page.tpl.php
===================================================================
RCS file: /cvs/drupal/drupal/themes/garland/maintenance-page.tpl.php,v
retrieving revision 1.3
diff -u -p -r1.3 maintenance-page.tpl.php
--- themes/garland/maintenance-page.tpl.php	24 Jan 2008 09:42:53 -0000	1.3
+++ themes/garland/maintenance-page.tpl.php	29 Apr 2009 23:02:31 -0000
@@ -15,8 +15,8 @@
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
   <head>
-    <title><?php print $head_title ?></title>
     <?php print $head ?>
+    <title><?php print $head_title ?></title>
     <?php print $styles ?>
     <?php print $scripts ?>
     <!--[if lt IE 7]>
Index: themes/garland/page.tpl.php
===================================================================
RCS file: /cvs/drupal/drupal/themes/garland/page.tpl.php,v
retrieving revision 1.18
diff -u -p -r1.18 page.tpl.php
--- themes/garland/page.tpl.php	24 Jan 2008 09:42:53 -0000	1.18
+++ themes/garland/page.tpl.php	29 Apr 2009 23:02:31 -0000
@@ -4,8 +4,8 @@
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
   <head>
-    <title><?php print $head_title ?></title>
     <?php print $head ?>
+    <title><?php print $head_title ?></title>
     <?php print $styles ?>
     <?php print $scripts ?>
     <!--[if lt IE 7]>
Index: themes/pushbutton/page.tpl.php
===================================================================
RCS file: /cvs/drupal/drupal/themes/pushbutton/Attic/page.tpl.php,v
retrieving revision 1.25.2.1
diff -u -p -r1.25.2.1 page.tpl.php
--- themes/pushbutton/page.tpl.php	29 Sep 2008 13:32:15 -0000	1.25.2.1
+++ themes/pushbutton/page.tpl.php	29 Apr 2009 23:02:31 -0000
@@ -3,9 +3,9 @@
 ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language->language ?>" xml:lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
 <head>
-  <title><?php print $head_title ?></title>
   <meta http-equiv="Content-Style-Type" content="text/css" />
   <?php print $head ?>
+  <title><?php print $head_title ?></title>
   <?php print $styles ?>
   <?php print $scripts ?>
 </head>