Index: includes/theme.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/theme.inc,v retrieving revision 1.626 diff -u -9 -p -r1.626 theme.inc --- includes/theme.inc 11 Dec 2010 02:06:25 -0000 1.626 +++ includes/theme.inc 13 Dec 2010 23:44:07 -0000 @@ -2197,19 +2197,19 @@ function template_preprocess_html(&$vari if (drupal_get_title()) { $head_title = array( 'title' => strip_tags(drupal_get_title()), 'name' => check_plain(variable_get('site_name', 'Drupal')), ); } else { $head_title = array('name' => check_plain(variable_get('site_name', 'Drupal'))); if (variable_get('site_slogan', '')) { - $head_title['slogan'] = filter_xss_admin(variable_get('site_slogan', '')); + $head_title['slogan'] = strip_tags(filter_xss_admin(variable_get('site_slogan', ''))); } } $variables['head_title_array'] = $head_title; $variables['head_title'] = implode(' | ', $head_title); // Populate the page template suggestions. if ($suggestions = theme_get_suggestions(arg(), 'html')) { $variables['theme_hook_suggestions'] = $suggestions; } @@ -2254,19 +2254,19 @@ function template_preprocess_page(&$vari $variables['base_path'] = base_path(); $variables['front_page'] = url(); $variables['feed_icons'] = drupal_get_feeds(); $variables['language'] = $GLOBALS['language']; $variables['language']->dir = $GLOBALS['language']->direction ? 'rtl' : 'ltr'; $variables['logo'] = theme_get_setting('logo'); $variables['main_menu'] = theme_get_setting('toggle_main_menu') ? menu_main_menu() : array(); $variables['secondary_menu'] = theme_get_setting('toggle_secondary_menu') ? menu_secondary_menu() : array(); $variables['action_links'] = menu_local_actions(); - $variables['site_name'] = (theme_get_setting('toggle_name') ? filter_xss_admin(variable_get('site_name', 'Drupal')) : ''); + $variables['site_name'] = (theme_get_setting('toggle_name') ? check_plain(variable_get('site_name', 'Drupal')) : ''); $variables['site_slogan'] = (theme_get_setting('toggle_slogan') ? filter_xss_admin(variable_get('site_slogan', '')) : ''); $variables['tabs'] = menu_local_tabs(); if ($node = menu_get_object()) { $variables['node'] = $node; } // Populate the page template suggestions. if ($suggestions = theme_get_suggestions(arg(), 'page')) { @@ -2425,25 +2425,25 @@ function template_preprocess_maintenance } if (!empty($variables['sidebar_second'])) { $variables['layout'] = ($variables['layout'] == 'first') ? 'both' : 'second'; } // Construct page title if (drupal_get_title()) { $head_title = array( 'title' => strip_tags(drupal_get_title()), - 'name' => variable_get('site_name', 'Drupal'), + 'name' => check_plain(variable_get('site_name', 'Drupal')), ); } else { - $head_title = array('name' => variable_get('site_name', 'Drupal')); + $head_title = array('name' => check_plain(variable_get('site_name', 'Drupal'))); if (variable_get('site_slogan', '')) { - $head_title['slogan'] = variable_get('site_slogan', ''); + $head_title['slogan'] = strip_tags(filter_xss_admin(variable_get('site_slogan', ''))); } } // set the default language if necessary $language = isset($GLOBALS['language']) ? $GLOBALS['language'] : language_default(); $variables['head_title_array'] = $head_title; $variables['head_title'] = implode(' | ', $head_title); $variables['base_path'] = base_path(); @@ -2451,20 +2451,20 @@ function template_preprocess_maintenance $variables['breadcrumb'] = ''; $variables['feed_icons'] = ''; $variables['help'] = ''; $variables['language'] = $language; $variables['language']->dir = $language->direction ? 'rtl' : 'ltr'; $variables['logo'] = theme_get_setting('logo'); $variables['messages'] = $variables['show_messages'] ? theme('status_messages') : ''; $variables['main_menu'] = array(); $variables['secondary_menu'] = array(); - $variables['site_name'] = (theme_get_setting('toggle_name') ? variable_get('site_name', 'Drupal') : ''); - $variables['site_slogan'] = (theme_get_setting('toggle_slogan') ? variable_get('site_slogan', '') : ''); + $variables['site_name'] = (theme_get_setting('toggle_name') ? check_plain(variable_get('site_name', 'Drupal')) : ''); + $variables['site_slogan'] = (theme_get_setting('toggle_slogan') ? filter_xss_admin(variable_get('site_slogan', '')) : ''); $variables['tabs'] = ''; $variables['title'] = drupal_get_title(); $variables['closure'] = ''; // Compile a list of classes that are going to be applied to the body element. $variables['classes_array'][] = 'in-maintenance'; if (isset($variables['db_is_active']) && !$variables['db_is_active']) { $variables['classes_array'][] = 'db-offline'; } Index: modules/system/system.test =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.test,v retrieving revision 1.153 diff -u -9 -p -r1.153 system.test --- modules/system/system.test 1 Dec 2010 00:23:36 -0000 1.153 +++ modules/system/system.test 13 Dec 2010 23:44:07 -0000 @@ -1598,24 +1598,23 @@ class TokenReplaceTestCase extends Drupa global $language; $url_options = array( 'absolute' => TRUE, 'language' => $language, ); // Set a few site variables. variable_set('site_name', 'Drupal'); variable_set('site_slogan', 'Slogan'); - variable_set('site_mission', 'Mission'); // Generate and test sanitized tokens. $tests = array(); $tests['[site:name]'] = check_plain(variable_get('site_name', 'Drupal')); - $tests['[site:slogan]'] = check_plain(variable_get('site_slogan', '')); + $tests['[site:slogan]'] = filter_xss_admin(variable_get('site_slogan', '')); $tests['[site:mail]'] = 'simpletest@example.com'; $tests['[site:url]'] = url('', $url_options); $tests['[site:url-brief]'] = preg_replace(array('!^https?://!', '!/$!'), '', url('', $url_options)); $tests['[site:login-url]'] = url('user', $url_options); // Test to make sure that we generated something for each token. $this->assertFalse(in_array(0, array_map('strlen', $tests)), t('No empty tokens generated.')); foreach ($tests as $input => $expected) { Index: modules/system/system.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.tokens.inc,v retrieving revision 1.13 diff -u -9 -p -r1.13 system.tokens.inc --- modules/system/system.tokens.inc 28 Oct 2010 01:33:41 -0000 1.13 +++ modules/system/system.tokens.inc 13 Dec 2010 23:44:07 -0000 @@ -147,19 +147,19 @@ function system_tokens($type, $tokens, a foreach ($tokens as $name => $original) { switch ($name) { case 'name': $site_name = variable_get('site_name', 'Drupal'); $replacements[$original] = $sanitize ? check_plain($site_name) : $site_name; break; case 'slogan': $slogan = variable_get('site_slogan', ''); - $replacements[$original] = $sanitize ? check_plain($slogan) : $slogan; + $replacements[$original] = $sanitize ? filter_xss_admin($slogan) : $slogan; break; case 'mail': $replacements[$original] = variable_get('site_mail', ''); break; case 'url': $replacements[$original] = url('', $url_options); break; Index: themes/garland/template.php =================================================================== RCS file: /cvs/drupal/drupal/themes/garland/template.php,v retrieving revision 1.45 diff -u -9 -p -r1.45 template.php --- themes/garland/template.php 1 Dec 2010 00:18:15 -0000 1.45 +++ themes/garland/template.php 13 Dec 2010 23:44:07 -0000 @@ -108,19 +108,19 @@ function garland_preprocess_page(&$vars) $site_fields[] = $vars['site_slogan']; } $vars['site_title'] = implode(' ', $site_fields); if (!empty($site_fields)) { $site_fields[0] = '' . $site_fields[0] . ''; } $vars['site_html'] = implode(' ', $site_fields); // Set a variable for the site name title and logo alt attributes text. - $slogan_text = $vars['site_slogan']; + $slogan_text = strip_tags($vars['site_slogan']); $site_name_text = $vars['site_name']; $vars['site_name_and_slogan'] = $site_name_text . ' ' . $slogan_text; } /** * Override or insert variables into the node template. */ function garland_preprocess_node(&$vars) { $vars['submitted'] = $vars['date'] . ' — ' . $vars['name'];