Index: includes/theme.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/theme.inc,v retrieving revision 1.596 diff -u -9 -p -r1.596 theme.inc --- includes/theme.inc 30 Apr 2010 20:07:03 -0000 1.596 +++ includes/theme.inc 9 May 2010 15:35:37 -0000 @@ -2183,27 +2183,27 @@ function template_preprocess_html(&$vari // Add favicon. if (theme_get_setting('toggle_favicon')) { $favicon = theme_get_setting('favicon'); $type = theme_get_setting('favicon_mimetype'); drupal_add_html_head_link(array('rel' => 'shortcut icon', 'href' => check_url($favicon), 'type' => $type)); } // Construct page title. if (drupal_get_title()) { - $head_title = array(strip_tags(drupal_get_title()), check_plain(variable_get('site_name', 'Drupal'))); + $head_title = array(drupal_get_title(), check_plain(variable_get('site_name', 'Drupal'))); } else { $head_title = array(check_plain(variable_get('site_name', 'Drupal'))); if (variable_get('site_slogan', '')) { $head_title[] = filter_xss_admin(variable_get('site_slogan', '')); } } - $variables['head_title'] = implode(' | ', $head_title); + $variables['head_title'] = strip_tags(implode(' | ', $head_title)); // Populate the page template suggestions. if ($suggestions = theme_get_suggestions(arg(), 'html')) { $variables['theme_hook_suggestions'] = $suggestions; } } /** * Preprocess variables for page.tpl.php @@ -2246,19 +2246,19 @@ function template_preprocess_page(&$vari $variables['breadcrumb'] = theme('breadcrumb', array('breadcrumb' => drupal_get_breadcrumb())); $variables['feed_icons'] = drupal_get_feeds(); $variables['language'] = $GLOBALS['language']; $variables['language']->dir = $GLOBALS['language']->direction ? 'rtl' : 'ltr'; $variables['logo'] = theme_get_setting('logo'); $variables['messages'] = $variables['show_messages'] ? theme('status_messages') : ''; $variables['main_menu'] = theme_get_setting('toggle_main_menu') ? menu_main_menu() : array(); $variables['secondary_menu'] = theme_get_setting('toggle_secondary_menu') ? menu_secondary_menu() : array(); $variables['action_links'] = menu_local_actions(); - $variables['site_name'] = (theme_get_setting('toggle_name') ? filter_xss_admin(variable_get('site_name', 'Drupal')) : ''); + $variables['site_name'] = (theme_get_setting('toggle_name') ? check_plain(variable_get('site_name', 'Drupal')) : ''); $variables['site_slogan'] = (theme_get_setting('toggle_slogan') ? filter_xss_admin(variable_get('site_slogan', '')) : ''); $variables['tabs'] = theme('menu_local_tasks'); $variables['title'] = drupal_get_title(); if ($node = menu_get_object()) { $variables['node'] = $node; } // Populate the page template suggestions. @@ -2388,44 +2388,44 @@ function template_preprocess_maintenance if (!empty($variables['sidebar_first'])) { $variables['layout'] = 'first'; } if (!empty($variables['sidebar_second'])) { $variables['layout'] = ($variables['layout'] == 'first') ? 'both' : 'second'; } // Construct page title if (drupal_get_title()) { - $head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal')); + $head_title = array(drupal_get_title(), check_plain(variable_get('site_name', 'Drupal'))); } else { - $head_title = array(variable_get('site_name', 'Drupal')); + $head_title = array(check_plain(variable_get('site_name', 'Drupal'))); if (variable_get('site_slogan', '')) { - $head_title[] = variable_get('site_slogan', ''); + $head_title[] = filter_xss_admin(variable_get('site_slogan', '')); } } // set the default language if necessary $language = isset($GLOBALS['language']) ? $GLOBALS['language'] : language_default(); - $variables['head_title'] = implode(' | ', $head_title); + $variables['head_title'] = strip_tags(implode(' | ', $head_title)); $variables['base_path'] = base_path(); $variables['front_page'] = url(); $variables['breadcrumb'] = ''; $variables['feed_icons'] = ''; $variables['help'] = ''; $variables['language'] = $language; $variables['language']->dir = $language->direction ? 'rtl' : 'ltr'; $variables['logo'] = theme_get_setting('logo'); $variables['messages'] = $variables['show_messages'] ? theme('status_messages') : ''; $variables['main_menu'] = array(); $variables['secondary_menu'] = array(); - $variables['site_name'] = (theme_get_setting('toggle_name') ? variable_get('site_name', 'Drupal') : ''); - $variables['site_slogan'] = (theme_get_setting('toggle_slogan') ? variable_get('site_slogan', '') : ''); + $variables['site_name'] = (theme_get_setting('toggle_name') ? check_plain(variable_get('site_name', 'Drupal')) : ''); + $variables['site_slogan'] = (theme_get_setting('toggle_slogan') ? filter_xss_admin(variable_get('site_slogan', '')) : ''); $variables['tabs'] = ''; $variables['title'] = drupal_get_title(); $variables['closure'] = ''; // Compile a list of classes that are going to be applied to the body element. $variables['classes_array'][] = 'in-maintenance'; if (isset($variables['db_is_active']) && !$variables['db_is_active']) { $variables['classes_array'][] = 'db-offline'; } Index: modules/comment/comment.test =================================================================== RCS file: /cvs/drupal/drupal/modules/comment/comment.test,v retrieving revision 1.78 diff -u -9 -p -r1.78 comment.test --- modules/comment/comment.test 3 May 2010 07:39:39 -0000 1.78 +++ modules/comment/comment.test 9 May 2010 15:35:37 -0000 @@ -1342,49 +1342,42 @@ class CommentTokenReplaceTestCase extend $instance = field_info_instance('comment', 'body', 'comment_body'); // Generate and test sanitized tokens. $tests = array(); $tests['[comment:cid]'] = $comment->cid; $tests['[comment:pid]'] = $comment->pid; $tests['[comment:nid]'] = $comment->nid; $tests['[comment:uid]'] = $comment->uid; $tests['[comment:hostname]'] = check_plain($comment->hostname); - $tests['[comment:name]'] = filter_xss($comment->name); + $tests['[comment:name]'] = check_plain($comment->name); $tests['[comment:mail]'] = check_plain($this->admin_user->mail); $tests['[comment:homepage]'] = filter_xss_bad_protocol($comment->homepage); - $tests['[comment:title]'] = filter_xss($comment->subject); + $tests['[comment:title]'] = check_plain($comment->subject); $tests['[comment:body]'] = _text_sanitize($instance, LANGUAGE_NONE, $comment->comment_body[LANGUAGE_NONE][0], 'value'); - $tests['[comment:url]'] = url('comment/' . $comment->cid, $url_options + array('fragment' => 'comment-' . $comment->cid)); - $tests['[comment:edit-url]'] = url('comment/' . $comment->cid . '/edit', $url_options); - $tests['[comment:created:since]'] = format_interval(REQUEST_TIME - $comment->created, 2, $language->language); - $tests['[comment:changed:since]'] = format_interval(REQUEST_TIME - $comment->changed, 2, $language->language); + $tests['[comment:url]'] = check_plain(url('comment/' . $comment->cid, $url_options + array('fragment' => 'comment-' . $comment->cid))); + $tests['[comment:edit-url]'] = check_plain(url('comment/' . $comment->cid . '/edit', $url_options)); + $tests['[comment:created:since]'] = check_plain(format_interval(REQUEST_TIME - $comment->created, 2, $language->language)); + $tests['[comment:changed:since]'] = check_plain(format_interval(REQUEST_TIME - $comment->changed, 2, $language->language)); $tests['[comment:parent:title]'] = check_plain($parent_comment->subject); $tests['[comment:node:title]'] = check_plain($node->title); $tests['[comment:author:name]'] = check_plain($this->admin_user->name); // Test to make sure that we generated something for each token. $this->assertFalse(in_array(0, array_map('strlen', $tests)), t('No empty tokens generated.')); foreach ($tests as $input => $expected) { $output = token_replace($input, array('comment' => $comment), array('language' => $language)); $this->assertFalse(strcmp($output, $expected), t('Sanitized comment token %token replaced.', array('%token' => $input))); } // Generate and test unsanitized tokens. - $tests['[comment:hostname]'] = $comment->hostname; - $tests['[comment:name]'] = $comment->name; - $tests['[comment:mail]'] = $this->admin_user->mail; - $tests['[comment:homepage]'] = $comment->homepage; - $tests['[comment:title]'] = $comment->subject; $tests['[comment:body]'] = $comment->comment_body[LANGUAGE_NONE][0]['value']; $tests['[comment:parent:title]'] = $parent_comment->subject; - $tests['[comment:node:title]'] = $node->title; - $tests['[comment:author:name]'] = $this->admin_user->name; foreach ($tests as $input => $expected) { $output = token_replace($input, array('comment' => $comment), array('language' => $language, 'sanitize' => FALSE)); $this->assertFalse(strcmp($output, $expected), t('Unsanitized comment token %token replaced.', array('%token' => $input))); } // Load node so comment_count gets computed. $node = node_load($node->nid); Index: modules/comment/comment.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/comment/comment.tokens.inc,v retrieving revision 1.11 diff -u -9 -p -r1.11 comment.tokens.inc --- modules/comment/comment.tokens.inc 20 Apr 2010 09:48:06 -0000 1.11 +++ modules/comment/comment.tokens.inc 9 May 2010 15:35:37 -0000 @@ -146,86 +146,85 @@ function comment_tokens($type, $tokens, $replacements[$original] = $comment->nid; break; case 'uid': $replacements[$original] = $comment->uid; break; // Poster identity information for comments case 'hostname': - $replacements[$original] = $sanitize ? check_plain($comment->hostname) : $comment->hostname; + $replacements[$original] = check_plain($comment->hostname); break; case 'name': $name = ($comment->uid == 0) ? variable_get('anonymous', t('Anonymous')) : $comment->name; - $replacements[$original] = $sanitize ? filter_xss($name) : $name; + $replacements[$original] = check_plain($name); break; case 'mail': if ($comment->uid != 0) { $account = user_load($comment->uid); $mail = $account->mail; } else { $mail = $comment->mail; } - $replacements[$original] = $sanitize ? check_plain($mail) : $mail; + $replacements[$original] = check_plain($mail); break; case 'homepage': - $replacements[$original] = $sanitize ? filter_xss_bad_protocol($comment->homepage) : $comment->homepage; + $replacements[$original] = $sanitize ? filter_xss_bad_protocol($comment->homepage) : check_plain($comment->homepage); break; case 'title': - $replacements[$original] = $sanitize ? filter_xss($comment->subject) : $comment->subject; + $replacements[$original] = check_plain($comment->subject); break; case 'body': $item = $comment->comment_body[LANGUAGE_NONE][0]; $instance = field_info_instance('comment', 'body', 'comment_body'); $replacements[$original] = $sanitize ? _text_sanitize($instance, LANGUAGE_NONE, $item, 'value') : $item['value']; break; // Comment related URLs. case 'url': $url_options['fragment'] = 'comment-' . $comment->cid; - $replacements[$original] = url('comment/' . $comment->cid, $url_options); + $replacements[$original] = check_plain(url('comment/' . $comment->cid, $url_options)); break; case 'edit-url': $url_options['fragment'] = NULL; - $replacements[$original] = url('comment/' . $comment->cid . '/edit', $url_options); + $replacements[$original] = check_plain(url('comment/' . $comment->cid . '/edit', $url_options)); break; // Default values for the chained tokens handled below. case 'author': - $replacements[$original] = $sanitize ? filter_xss($comment->name) : $comment->name; + $replacements[$original] = check_plain($comment->name); break; case 'parent': if (!empty($comment->pid)) { $parent = comment_load($comment->pid); - $replacements[$original] = $sanitize ? filter_xss($parent->subject) : $parent->subject; + $replacements[$original] = check_plain($parent->subject); } break; case 'created': - $replacements[$original] = format_date($comment->created, 'medium', '', NULL, $language_code); + $replacements[$original] = check_plain(format_date($comment->created, 'medium', '', NULL, $language_code)); break; case 'changed': - $replacements[$original] = format_date($comment->changed, 'medium', '', NULL, $language_code); + $replacements[$original] = check_plain(format_date($comment->changed, 'medium', '', NULL, $language_code)); break; case 'node': $node = node_load($comment->nid); - $title = $node->title; - $replacements[$original] = $sanitize ? filter_xss($title) : $title; + $replacements[$original] = check_plain($node->title); break; } } // Chained token relationships. if ($node_tokens = token_find_with_prefix($tokens, 'node')) { $node = node_load($comment->nid); $replacements += token_generate('node', $node_tokens, array('node' => $node), $options); } Index: modules/node/node.test =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.test,v retrieving revision 1.81 diff -u -9 -p -r1.81 node.test --- modules/node/node.test 20 Apr 2010 09:48:06 -0000 1.81 +++ modules/node/node.test 9 May 2010 15:35:37 -0000 @@ -1709,34 +1709,33 @@ class NodeTokenReplaceTestCase extends D $tests['[node:vid]'] = $node->vid; $tests['[node:tnid]'] = $node->tnid; $tests['[node:uid]'] = $node->uid; $tests['[node:type]'] = 'article'; $tests['[node:type-name]'] = 'Article'; $tests['[node:title]'] = check_plain($node->title); $tests['[node:body]'] = _text_sanitize($instance, $node->language, $node->body[$node->language][0], 'value'); $tests['[node:summary]'] = _text_sanitize($instance, $node->language, $node->body[$node->language][0], 'summary'); $tests['[node:language]'] = check_plain($node->language); - $tests['[node:url]'] = url('node/' . $node->nid, $url_options); - $tests['[node:edit-url]'] = url('node/' . $node->nid . '/edit', $url_options); + $tests['[node:url]'] = check_plain(url('node/' . $node->nid, $url_options)); + $tests['[node:edit-url]'] = check_plain(url('node/' . $node->nid . '/edit', $url_options)); $tests['[node:author:name]'] = check_plain($account->name); - $tests['[node:created:since]'] = format_interval(REQUEST_TIME - $node->created, 2, $language->language); - $tests['[node:changed:since]'] = format_interval(REQUEST_TIME - $node->changed, 2, $language->language); + $tests['[node:created:since]'] = check_plain(format_interval(REQUEST_TIME - $node->created, 2, $language->language)); + $tests['[node:changed:since]'] = check_plain(format_interval(REQUEST_TIME - $node->changed, 2, $language->language)); // Test to make sure that we generated something for each token. $this->assertFalse(in_array(0, array_map('strlen', $tests)), t('No empty tokens generated.')); foreach ($tests as $input => $expected) { $output = token_replace($input, array('node' => $node), array('language' => $language)); $this->assertFalse(strcmp($output, $expected), t('Sanitized node token %token replaced.', array('%token' => $input))); } // Generate and test unsanitized tokens. - $tests['[node:title]'] = $node->title; $tests['[node:body]'] = $node->body[$node->language][0]['value']; $tests['[node:summary]'] = $node->body[$node->language][0]['summary']; $tests['[node:language]'] = $node->language; $tests['[node:author:name]'] = $account->name; foreach ($tests as $input => $expected) { $output = token_replace($input, array('node' => $node), array('language' => $language, 'sanitize' => FALSE)); $this->assertFalse(strcmp($output, $expected), t('Unsanitized node token %token replaced.', array('%token' => $input))); } Index: modules/node/node.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.tokens.inc,v retrieving revision 1.14 diff -u -9 -p -r1.14 node.tokens.inc --- modules/node/node.tokens.inc 20 Apr 2010 09:48:06 -0000 1.14 +++ modules/node/node.tokens.inc 9 May 2010 15:35:37 -0000 @@ -124,64 +124,64 @@ function node_tokens($type, $tokens, arr case 'tnid': $replacements[$original] = $node->tnid; break; case 'uid': $replacements[$original] = $node->uid; break; case 'type': - $replacements[$original] = $sanitize ? check_plain($node->type) : $node->type; + $replacements[$original] = check_plain($node->type); break; case 'type-name': $type_name = node_type_get_name($node); - $replacements[$original] = $sanitize ? check_plain($type_name) : $type_name; + $replacements[$original] = check_plain($type_name); break; case 'title': - $replacements[$original] = $sanitize ? check_plain($node->title) : $node->title; + $replacements[$original] = check_plain($node->title); break; case 'body': case 'summary': if (!empty($node->body)) { $item = $node->body[$node->language][0]; $column = ($name == 'body') ? 'value' : 'summary'; $instance = field_info_instance('node', 'body', $node->type); $replacements[$original] = $sanitize ? _text_sanitize($instance, $node->language, $item, $column) : $item[$column]; } break; case 'language': - $replacements[$original] = $sanitize ? check_plain($node->language) : $node->language; + $replacements[$original] = check_plain($node->language); break; case 'url': - $replacements[$original] = url('node/' . $node->nid, $url_options); + $replacements[$original] = check_plain(url('node/' . $node->nid, $url_options)); break; case 'edit-url': - $replacements[$original] = url('node/' . $node->nid . '/edit', $url_options); + $replacements[$original] = check_plain(url('node/' . $node->nid . '/edit', $url_options)); break; // Default values for the chained tokens handled below. case 'author': $name = ($node->uid == 0) ? variable_get('anonymous', t('Anonymous')) : $node->name; - $replacements[$original] = $sanitize ? filter_xss($name) : $name; + $replacements[$original] = check_plain($name); break; case 'created': - $replacements[$original] = format_date($node->created, 'medium', '', NULL, $language_code); + $replacements[$original] = check_plain(format_date($node->created, 'medium', '', NULL, $language_code)); break; case 'changed': - $replacements[$original] = format_date($node->changed, 'medium', '', NULL, $language_code); + $replacements[$original] = check_plain(format_date($node->changed, 'medium', '', NULL, $language_code)); break; } } if ($author_tokens = token_find_with_prefix($tokens, 'author')) { $author = user_load($node->uid); $replacements += token_generate('user', $author_tokens, array('user' => $author), $options); } Index: modules/poll/poll.test =================================================================== RCS file: /cvs/drupal/drupal/modules/poll/poll.test,v retrieving revision 1.33 diff -u -9 -p -r1.33 poll.test --- modules/poll/poll.test 22 Apr 2010 23:59:04 -0000 1.33 +++ modules/poll/poll.test 9 May 2010 15:35:37 -0000 @@ -550,31 +550,23 @@ class PollTokenReplaceTestCase extends P ); $this->drupalPost('node/' . $poll_nid, $edit, t('Vote')); $this->drupalLogout(); $poll = node_load($poll_nid, NULL, TRUE); // Generate and test sanitized tokens. $tests = array(); $tests['[node:poll-votes]'] = 4; - $tests['[node:poll-winner]'] = filter_xss($poll->choice[1]['chtext']); + $tests['[node:poll-winner]'] = check_plain($poll->choice[1]['chtext']); $tests['[node:poll-winner-votes]'] = 2; $tests['[node:poll-winner-percent]'] = 50; $tests['[node:poll-duration]'] = format_interval($poll->runtime, 1, $language->language); // Test to make sure that we generated something for each token. $this->assertFalse(in_array(0, array_map('strlen', $tests)), t('No empty tokens generated.')); foreach ($tests as $input => $expected) { $output = token_replace($input, array('node' => $poll), array('language' => $language)); $this->assertFalse(strcmp($output, $expected), t('Sanitized poll token %token replaced.', array('%token' => $input))); } - - // Generate and test unsanitized tokens. - $tests['[node:poll-winner]'] = $poll->choice[1]['chtext']; - - foreach ($tests as $input => $expected) { - $output = token_replace($input, array('node' => $poll), array('language' => $language, 'sanitize' => FALSE)); - $this->assertFalse(strcmp($output, $expected), t('Unsanitized poll token %token replaced.', array('%token' => $input))); - } } } Index: modules/poll/poll.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/poll/poll.tokens.inc,v retrieving revision 1.5 diff -u -9 -p -r1.5 poll.tokens.inc --- modules/poll/poll.tokens.inc 20 Apr 2010 09:48:06 -0000 1.5 +++ modules/poll/poll.tokens.inc 9 May 2010 15:35:37 -0000 @@ -65,19 +65,19 @@ function poll_tokens($type, $tokens, arr } foreach ($tokens as $name => $original) { switch ($name) { case 'poll-votes': $replacements[$original] = $total_votes; break; case 'poll-winner': if (isset($winner)) { - $replacements[$original] = $sanitize ? filter_xss($winner['chtext']) : $winner['chtext']; + $replacements[$original] = check_plain($winner['chtext']); } else { $replacements[$original] = ''; } break; case 'poll-winner-votes': if (isset($winner)) { $replacements[$original] = $winner['chvotes']; @@ -92,17 +92,17 @@ function poll_tokens($type, $tokens, arr $percent = ($winner['chvotes'] / $total_votes) * 100; $replacements[$original] = number_format($percent, 0); } else { $replacements[$original] = ''; } break; case 'poll-duration': - $replacements[$original] = format_interval($node->runtime, 1, $language_code); + $replacements[$original] = check_plain(format_interval($node->runtime, 1, $language_code)); break; } } } return $replacements; } Index: modules/statistics/statistics.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/statistics/statistics.tokens.inc,v retrieving revision 1.4 diff -u -9 -p -r1.4 statistics.tokens.inc --- modules/statistics/statistics.tokens.inc 20 Apr 2010 09:48:06 -0000 1.4 +++ modules/statistics/statistics.tokens.inc 9 May 2010 15:35:38 -0000 @@ -44,19 +44,19 @@ function statistics_tokens($type, $token $statistics = statistics_get($node->nid); $replacements[$original] = $statistics['totalcount']; } elseif ($name == 'day-count') { $statistics = statistics_get($node->nid); $replacements[$original] = $statistics['daycount']; } elseif ($name == 'last-view') { $statistics = statistics_get($node->nid); - $replacements[$original] = format_date($statistics['timestamp']); + $replacements[$original] = check_plain(format_date($statistics['timestamp'])); } } if ($created_tokens = token_find_with_prefix($tokens, 'last-view')) { $statistics = statistics_get($node->nid); $replacements += token_generate('date', $created_tokens, array('date' => $statistics['timestamp']), $options); } } Index: modules/system/system.test =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.test,v retrieving revision 1.124 diff -u -9 -p -r1.124 system.test --- modules/system/system.test 20 Apr 2010 09:48:06 -0000 1.124 +++ modules/system/system.test 9 May 2010 15:35:38 -0000 @@ -1445,119 +1445,119 @@ class TokenReplaceTestCase extends Drupa ); } /** * Creates a user and a node, then tests the tokens generated from them. */ function testTokenReplacement() { // Create the initial objects. $account = $this->drupalCreateUser(); - $node = $this->drupalCreateNode(array('uid' => $account->uid)); + $node = $this->drupalCreateNode(array('uid' => $account->uid, 'type' => 'page')); $node->title = 'Blinking Text'; + $node->body[LANGUAGE_NONE][0]['value'] = 'Invalid HTML: & <>'; global $user, $language; $source = '[node:title]'; // Title of the node we passed in $source .= '[node:author:name]'; // Node author's name $source .= '[node:created:since]'; // Time since the node was created $source .= '[current-user:name]'; // Current user's name $source .= '[date:short]'; // Short date format of REQUEST_TIME $source .= '[user:name]'; // No user passed in, should be untouched $source .= '[bogus:token]'; // Non-existent token $target = check_plain($node->title); $target .= check_plain($account->name); - $target .= format_interval(REQUEST_TIME - $node->created, 2, $language->language); + $target .= check_plain(format_interval(REQUEST_TIME - $node->created, 2, $language->language)); $target .= check_plain($user->name); - $target .= format_date(REQUEST_TIME, 'short', '', NULL, $language->language); + $target .= check_plain(format_date(REQUEST_TIME, 'short', '', NULL, $language->language)); // Test that the clear parameter cleans out non-existent tokens. $result = token_replace($source, array('node' => $node), array('language' => $language, 'clear' => TRUE)); - $result = $this->assertFalse(strcmp($target, $result), 'Valid tokens replaced while invalid tokens cleared out.'); + $result = $this->assertEqual($target, $result, 'Valid tokens replaced while invalid tokens cleared out.'); // Test without using the clear parameter (non-existant token untouched). $target .= '[user:name]'; $target .= '[bogus:token]'; $result = token_replace($source, array('node' => $node), array('language' => $language)); $this->assertFalse(strcmp($target, $result), 'Valid tokens replaced while invalid tokens ignored.'); // Check that the results of token_generate are sanitized properly. This does NOT // test the cleanliness of every token -- just that the $sanitize flag is being // passed properly through the call stack and being handled correctly by a 'known' - // token, [node:title]. - $raw_tokens = array('title' => '[node:title]'); + // token, [node:body]. + $raw_tokens = array('body' => '[node:body]'); $generated = token_generate('node', $raw_tokens, array('node' => $node)); - $this->assertFalse(strcmp($generated['[node:title]'], check_plain($node->title)), t('Token sanitized.')); + $instance = field_info_instance('node', 'body', 'page'); + $this->assertEqual($generated['[node:body]'], _text_sanitize($instance, $node->language, $node->body[LANGUAGE_NONE][0], 'value'), t('Token sanitized.')); + $this->assertNotEqual($generated['[node:body]'], $node->body[LANGUAGE_NONE][0]['value'], t('Token sanitized.')); $generated = token_generate('node', $raw_tokens, array('node' => $node), array('sanitize' => FALSE)); - $this->assertFalse(strcmp($generated['[node:title]'], $node->title), t('Unsanitized token generated properly.')); + $this->assertEqual($generated['[node:body]'], $node->body[LANGUAGE_NONE][0]['value'], t('Unsanitized token generated properly.')); } /** * Tests the generation of all system site information tokens. */ function testSystemSiteTokenReplacement() { global $language; $url_options = array( 'absolute' => TRUE, 'language' => $language, ); // Set a few site variables. variable_set('site_name', 'Drupal'); variable_set('site_slogan', 'Slogan'); - variable_set('site_mission', 'Mission'); // Generate and test sanitized tokens. $tests = array(); $tests['[site:name]'] = check_plain(variable_get('site_name', 'Drupal')); - $tests['[site:slogan]'] = check_plain(variable_get('site_slogan', '')); - $tests['[site:mission]'] = filter_xss(variable_get('site_mission', '')); + $tests['[site:slogan]'] = filter_xss_admin(variable_get('site_slogan', '')); $tests['[site:mail]'] = 'simpletest@example.com'; - $tests['[site:url]'] = url('', $url_options); - $tests['[site:url-brief]'] = preg_replace('!^https?://!', '', url('', $url_options)); - $tests['[site:login-url]'] = url('user', $url_options); + $tests['[site:url]'] = check_plain(url('', $url_options)); + $tests['[site:url-brief]'] = check_plain(preg_replace('!^https?://!', '', url('', $url_options))); + $tests['[site:login-url]'] = check_plain(url('user', $url_options)); // Test to make sure that we generated something for each token. $this->assertFalse(in_array(0, array_map('strlen', $tests)), t('No empty tokens generated.')); foreach ($tests as $input => $expected) { $output = token_replace($input, array(), array('language' => $language)); $this->assertFalse(strcmp($output, $expected), t('Sanitized system site information token %token replaced.', array('%token' => $input))); } // Generate and test unsanitized tokens. - $tests['[site:name]'] = variable_get('site_name', 'Drupal'); + $tests['[site:name]'] = check_plain(variable_get('site_name', 'Drupal')); $tests['[site:slogan]'] = variable_get('site_slogan', ''); - $tests['[site:mission]'] = variable_get('site_mission', ''); foreach ($tests as $input => $expected) { $output = token_replace($input, array(), array('language' => $language, 'sanitize' => FALSE)); $this->assertFalse(strcmp($output, $expected), t('Unsanitized system site information token %token replaced.', array('%token' => $input))); } } /** * Tests the generation of all system date tokens. */ function testSystemDateTokenReplacement() { global $language; // Set time to one hour before request. $date = REQUEST_TIME - 3600; // Generate and test tokens. $tests = array(); - $tests['[date:short]'] = format_date($date, 'short', '', NULL, $language->language); - $tests['[date:medium]'] = format_date($date, 'medium', '', NULL, $language->language); - $tests['[date:long]'] = format_date($date, 'long', '', NULL, $language->language); - $tests['[date:custom:m/j/Y]'] = format_date($date, 'custom', 'm/j/Y', NULL, $language->language); - $tests['[date:since]'] = format_interval((REQUEST_TIME - $date), 2, $language->language); - $tests['[date:raw]'] = filter_xss($date); + $tests['[date:short]'] = check_plain(format_date($date, 'short', '', NULL, $language->language)); + $tests['[date:medium]'] = check_plain(format_date($date, 'medium', '', NULL, $language->language)); + $tests['[date:long]'] = check_plain(format_date($date, 'long', '', NULL, $language->language)); + $tests['[date:custom:m/j/Y]'] = check_plain(format_date($date, 'custom', 'm/j/Y', NULL, $language->language)); + $tests['[date:since]'] = check_plain(format_interval((REQUEST_TIME - $date), 2, $language->language)); + $tests['[date:raw]'] = check_plain($date); // Test to make sure that we generated something for each token. $this->assertFalse(in_array(0, array_map('strlen', $tests)), t('No empty tokens generated.')); foreach ($tests as $input => $expected) { $output = token_replace($input, array('date' => $date), array('language' => $language)); $this->assertFalse(strcmp($output, $expected), t('Date token %token replaced.', array('%token' => $input))); } } Index: modules/system/system.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.tokens.inc,v retrieving revision 1.9 diff -u -9 -p -r1.9 system.tokens.inc --- modules/system/system.tokens.inc 20 Apr 2010 09:48:06 -0000 1.9 +++ modules/system/system.tokens.inc 9 May 2010 15:35:38 -0000 @@ -150,85 +150,80 @@ function system_tokens($type, $tokens, a $sanitize = !empty($options['sanitize']); $replacements = array(); if ($type == 'site') { foreach ($tokens as $name => $original) { switch ($name) { case 'name': $site_name = variable_get('site_name', 'Drupal'); - $replacements[$original] = $sanitize ? check_plain($site_name) : $site_name; + $replacements[$original] = check_plain($site_name); break; case 'slogan': $slogan = variable_get('site_slogan', ''); - $replacements[$original] = $sanitize ? check_plain($slogan) : $slogan; - break; - - case 'mission': - $mission = variable_get('site_mission', ''); - $replacements[$original] = $sanitize ? filter_xss($mission) : $mission; + $replacements[$original] = $sanitize ? filter_xss_admin($slogan) : $slogan; break; case 'mail': - $replacements[$original] = variable_get('site_mail', ''); + $replacements[$original] = check_plain(variable_get('site_mail', '')); break; case 'url': - $replacements[$original] = url('', $url_options); + $replacements[$original] = check_plain(url('', $url_options)); break; case 'url-brief': - $replacements[$original] = preg_replace('!^https?://!', '', url('', $url_options)); + $replacements[$original] = check_plain(preg_replace('!^https?://!', '', url('', $url_options))); break; case 'login-url': - $replacements[$original] = url('user', $url_options); + $replacements[$original] = check_plain(url('user', $url_options)); break; } } } elseif ($type == 'date') { if (empty($data['date'])) { $date = REQUEST_TIME; } else { $date = $data['date']; } foreach ($tokens as $name => $original) { switch ($name) { case 'short': - $replacements[$original] = format_date($date, 'short', '', NULL, $langcode); + $replacements[$original] = check_plain(format_date($date, 'short', '', NULL, $langcode)); break; case 'medium': - $replacements[$original] = format_date($date, 'medium', '', NULL, $langcode); + $replacements[$original] = check_plain(format_date($date, 'medium', '', NULL, $langcode)); break; case 'long': - $replacements[$original] = format_date($date, 'long', '', NULL, $langcode); + $replacements[$original] = check_plain(format_date($date, 'long', '', NULL, $langcode)); break; case 'since': - $replacements[$original] = format_interval((REQUEST_TIME - $date), 2, $langcode); + $replacements[$original] = check_plain(format_interval((REQUEST_TIME - $date), 2, $langcode)); break; case 'raw': - $replacements[$original] = filter_xss($date); + $replacements[$original] = check_plain($date); break; } } if ($created_tokens = token_find_with_prefix($tokens, 'custom')) { foreach ($created_tokens as $name => $original) { - $replacements[$original] = format_date($date, 'custom', $name, NULL, $langcode); + $replacements[$original] = check_plain(format_date($date, 'custom', $name, NULL, $langcode)); } } } elseif ($type == 'file' && !empty($data['file'])) { $file = $data['file']; foreach ($tokens as $name => $original) { switch ($name) { @@ -237,49 +232,49 @@ function system_tokens($type, $tokens, a $replacements[$original] = $file->fid; break; case 'uid': $replacements[$original] = $file->uid; break; // Essential file data case 'name': - $replacements[$original] = $sanitize ? check_plain($file->filename) : $file->filename; + $replacements[$original] = check_plain($file->filename); break; case 'description': - $replacements[$original] = $sanitize ? filter_xss($file->description) : $file->description; + $replacements[$original] = check_plain($file->description); break; case 'path': - $replacements[$original] = $sanitize ? filter_xss($file->uri) : $file->uri; + $replacements[$original] = check_plain($file->uri); break; case 'mime': - $replacements[$original] = $sanitize ? filter_xss($file->filemime) : $file->filemime; + $replacements[$original] = check_plain($file->filemime); break; case 'size': $replacements[$original] = format_size($file->filesize); break; case 'url': - $replacements[$original] = url(file_create_url($file->uri), $url_options); + $replacements[$original] = check_plain(url(file_create_url($file->uri), $url_options)); break; // These tokens are default variations on the chained tokens handled below. case 'timestamp': - $replacements[$original] = format_date($file->timestamp, 'medium', '', NULL, $langcode); + $replacements[$original] = check_plain(format_date($file->timestamp, 'medium', '', NULL, $langcode)); break; case 'owner': $account = user_load($file->uid); - $replacements[$original] = $sanitize ? filter_xss($account->name) : $account->name; + $replacements[$original] = check_plain($account->name); break; } } if ($date_tokens = token_find_with_prefix($tokens, 'timestamp')) { $replacements += token_generate('date', $date_tokens, array('date' => $file->timestamp), $options); } if (($owner_tokens = token_find_with_prefix($tokens, 'owner')) && $account = user_load($file->uid)) { Index: modules/taxonomy/taxonomy.test =================================================================== RCS file: /cvs/drupal/drupal/modules/taxonomy/taxonomy.test,v retrieving revision 1.78 diff -u -9 -p -r1.78 taxonomy.test --- modules/taxonomy/taxonomy.test 30 Apr 2010 12:52:10 -0000 1.78 +++ modules/taxonomy/taxonomy.test 9 May 2010 15:35:38 -0000 @@ -951,19 +951,19 @@ class TaxonomyTokenReplaceTestCase exten $edit[$this->instance['field_name'] . '[' . $this->langcode . '][]'] = $term2->tid; $this->drupalPost('node/' . $node->nid . '/edit', $edit, t('Save')); // Generate and test sanitized tokens. $tests = array(); $tests['[term:tid]'] = $term2->tid; $tests['[term:vid]'] = $term2->vid; $tests['[term:name]'] = check_plain($term2->name); $tests['[term:description]'] = check_markup($term2->description, $term2->format); - $tests['[term:url]'] = url('taxonomy/term/' . $term2->tid, array('absolute' => TRUE)); + $tests['[term:url]'] = check_plain(url('taxonomy/term/' . $term2->tid, array('absolute' => TRUE))); $tests['[term:node-count]'] = 1; $tests['[term:parent:name]'] = check_plain($term1->name); $tests['[term:vocabulary:name]'] = check_plain($this->vocabulary->name); // Test to make sure that we generated something for each token. $this->assertFalse(in_array(0, array_map('strlen', $tests)), t('No empty tokens generated.')); foreach ($tests as $input => $expected) { $output = token_replace($input, array('term' => $term2), array('language' => $language)); @@ -992,18 +992,17 @@ class TaxonomyTokenReplaceTestCase exten // Test to make sure that we generated something for each token. $this->assertFalse(in_array(0, array_map('strlen', $tests)), t('No empty tokens generated.')); foreach ($tests as $input => $expected) { $output = token_replace($input, array('vocabulary' => $this->vocabulary), array('language' => $language)); $this->assertFalse(strcmp($output, $expected), t('Sanitized taxonomy vocabulary token %token replaced.', array('%token' => $input))); } // Generate and test unsanitized tokens. - $tests['[vocabulary:name]'] = $this->vocabulary->name; $tests['[vocabulary:description]'] = $this->vocabulary->description; foreach ($tests as $input => $expected) { $output = token_replace($input, array('vocabulary' => $this->vocabulary), array('language' => $language, 'sanitize' => FALSE)); $this->assertFalse(strcmp($output, $expected), t('Unsanitized taxonomy vocabulary token %token replaced.', array('%token' => $input))); } } } Index: modules/taxonomy/taxonomy.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/taxonomy/taxonomy.tokens.inc,v retrieving revision 1.6 diff -u -9 -p -r1.6 taxonomy.tokens.inc --- modules/taxonomy/taxonomy.tokens.inc 29 Jan 2010 22:56:54 -0000 1.6 +++ modules/taxonomy/taxonomy.tokens.inc 9 May 2010 15:35:38 -0000 @@ -105,27 +105,27 @@ function taxonomy_tokens($type, $tokens, case 'tid': $replacements[$original] = $term->tid; break; case 'vid': $replacements[$original] = $term->vid; break; case 'name': - $replacements[$original] = $sanitize ? check_plain($term->name) : $term->name; + $replacements[$original] = check_plain($term->name); break; case 'description': $replacements[$original] = $sanitize ? check_markup($term->description, $term->format, '', TRUE) : $term->description; break; case 'url': - $replacements[$original] = url('taxonomy/term/' . $term->tid, array('absolute' => TRUE)); + $replacements[$original] = check_plain(url('taxonomy/term/' . $term->tid, array('absolute' => TRUE))); break; case 'node-count': $query = db_select('taxonomy_index'); $query->condition('tid', $term->tid); $query->addTag('term_node_count'); $count = $query->countQuery()->execute()->fetchField(); $replacements[$original] = $count; break; @@ -159,19 +159,19 @@ function taxonomy_tokens($type, $tokens, $vocabulary = $data['vocabulary']; foreach ($tokens as $name => $original) { switch ($name) { case 'vid': $replacements[$original] = $vocabulary->vid; break; case 'name': - $replacements[$original] = $sanitize ? check_plain($vocabulary->name) : $vocabulary->name; + $replacements[$original] = check_plain($vocabulary->name); break; case 'description': $replacements[$original] = $sanitize ? filter_xss($vocabulary->description) : $vocabulary->description; break; case 'term-count': $query = db_select('taxonomy_term_data'); $query->condition('vid', $vocabulary->vid); Index: modules/user/user.module =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.module,v retrieving revision 1.1165 diff -u -9 -p -r1.1165 user.module --- modules/user/user.module 1 May 2010 08:12:23 -0000 1.1165 +++ modules/user/user.module 9 May 2010 15:35:39 -0000 @@ -2317,19 +2317,19 @@ function user_build_content($account, $v module_invoke_all('user_view', $account, $view_mode); } /** * Implements hook_mail(). */ function user_mail($key, &$message, $params) { $language = $message['language']; $variables = array('user' => $params['account']); - $message['subject'] .= _user_mail_text($key . '_subject', $language, $variables); + $message['subject'] .= decode_entities(strip_tags(_user_mail_text($key . '_subject', $language, $variables))); $message['body'][] = _user_mail_text($key . '_body', $language, $variables); } /** * Returns a mail string for a variable name. * * Used by user_mail() and the settings forms to retrieve strings. */ function _user_mail_text($key, $language = NULL, $variables = array(), $replace = TRUE) { Index: modules/user/user.tokens.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.tokens.inc,v retrieving revision 1.6 diff -u -9 -p -r1.6 user.tokens.inc --- modules/user/user.tokens.inc 20 Apr 2010 09:48:06 -0000 1.6 +++ modules/user/user.tokens.inc 9 May 2010 15:35:39 -0000 @@ -84,36 +84,36 @@ function user_tokens($type, $tokens, arr $replacements[$original] = $account->uid; break; case 'name': $name = format_username($account); $replacements[$original] = $sanitize ? filter_xss($name) : $name; break; case 'mail': - $replacements[$original] = $sanitize ? check_plain($account->mail) : $account->mail; + $replacements[$original] = check_plain($account->mail); break; case 'url': - $replacements[$original] = url("user/$account->uid", $url_options); + $replacements[$original] = check_plain(url("user/$account->uid", $url_options)); break; case 'edit-url': - $replacements[$original] = url("user/$account->uid/edit", $url_options); + $replacements[$original] = check_plain(url("user/$account->uid/edit", $url_options)); break; // These tokens are default variations on the chained tokens handled below. case 'last-login': - $replacements[$original] = format_date($account->login, 'medium', '', NULL, $language_code); + $replacements[$original] = check_plain(format_date($account->login, 'medium', '', NULL, $language_code)); break; case 'created': - $replacements[$original] = format_date($account->created, 'medium', '', NULL, $language_code); + $replacements[$original] = check_plain(format_date($account->created, 'medium', '', NULL, $language_code)); break; } } if ($login_tokens = token_find_with_prefix($tokens, 'last-login')) { $replacements += token_generate('date', $login_tokens, array('date' => $account->login), $options); } if ($registered_tokens = token_find_with_prefix($tokens, 'created')) { Index: themes/garland/template.php =================================================================== RCS file: /cvs/drupal/drupal/themes/garland/template.php,v retrieving revision 1.39 diff -u -9 -p -r1.39 template.php --- themes/garland/template.php 4 Mar 2010 09:03:08 -0000 1.39 +++ themes/garland/template.php 9 May 2010 15:35:39 -0000 @@ -104,19 +104,19 @@ function garland_preprocess_page(&$vars) $vars['site_title'] = implode(' ', $site_fields); if (!empty($site_fields)) { $site_fields[0] = '' . $site_fields[0] . ''; } $vars['site_html'] = implode(' ', $site_fields); // Set a variable for the site name title and logo alt attributes text. $slogan_text = $vars['site_slogan']; $site_name_text = $vars['site_name']; - $vars['site_name_and_slogan'] = $site_name_text . ' ' . $slogan_text; + $vars['site_name_and_slogan'] = strip_tags($site_name_text . ' ' . $slogan_text); } /** * Override or insert variables into the page template. */ function garland_process_page(&$vars) { // Hook into color.module if (module_exists('color')) { _color_page_alter($vars);