I'm assuming this is a Drupal system error rather than a theme bug; I'm using Garland. Also, I'm not entirely sure which core module it would be a part of, so I'm going with system. Apologies if I'm wrong on any of this.

The problem is that instead of displaying a & in my site's title, it displays & instead. This has only occurred since I upgraded directly from 6.2 to 6.13. Since then, I've had to switch to good old "and", which annoys me and is not what my client wants to see on her site.

Thanks in advance,
Sam

Comments

jmenz’s picture

Component: system.module » Garland theme

This appears to be a theme issue - occurs with Garland and Minnelli only so I'll change the settings accordingly. I was having the same trouble but tried switching themes and these two were the only ones with the problem amongst the standard themes included in Drupal 6.13.

I'm guessing that at one point the system didn't escape ampersands in headings so these two themes patched that issue by escaping them - now the system does escape it and the theme escapes it again resulting in & being output in the code and & showing in the rendered text.

A related issue (system?) is that ampersands in site names aren't escaped when printed to the title tag in any of the standard themes, which results in a validation warning. http://drupal.org/node/535240

grendzy’s picture

cafuego’s picture

Version: 6.13 » 6.17
Status: Closed (duplicate) » Needs review
StatusFileSize
new1.62 KB

Issue #461938: Core should consistently filter_xss_admin() on $site_slogan and check_plain $site_name seems to have morphed into a giant patch that doesn't in fact address the problem in Garland on D6.

Attached patch removes the check_plain() calls from the Garland page.tpl.php and maintenance-page.tpl.php files, so the site_name and site_slogan — which are pulled though xss_filter_admin() in theme.inc — aren't escaped again in the theme, leading to such joy as &

Status: Needs review » Needs work

The last submitted patch, 527776.patch, failed testing.

cafuego’s picture

Status: Needs work » Needs review
StatusFileSize
new1.63 KB

Re-test.

Status: Needs review » Needs work

The last submitted patch, 527776-2.patch, failed testing.

cafuego’s picture

I dunno what the test bot is applying it to (D7? but it works totally fine on D6.17 here :-P

cafuego’s picture

Status: Needs work » Needs review
StatusFileSize
new1.63 KB

Ok then. Brain fail. Renamed patch file, so the test bot doesn't go and test it against D7.

pree93’s picture

I tested this issue using Mozilla Firefox 3.6.13 and I applied the patch in comment 8, 527776-D6.patch and found that it fixed the problem with the ampersand.

I am using the following:
Drupal 6.20
Apache2
Postgresql 8.4

ashmiler’s picture

I have reproduced the problem that the original submitter had. I then applied the patch from comment #8 and found that it fixed the bug. I ran the patch in Chromium 8.0.552.224 on Drupal 6.20 while running Postgresql 8.4.

webster.’s picture

I also reproduced the issue that the original submitter had . I applied the #8 patch and it appears to have fixed the bug changing the display in the site title from '&amp ;' to '&' (:
Firefox 3.6.13
Drupal 6.20
Postgresql 8.4

(:

lyd’s picture

Version: 6.17 » 7.0
Component: Garland theme » Bartik theme

I have the same problem but in the Miranelli Theme for Drupal 7.
The Bartik Theme for Drupal 7 works fine.

lyd’s picture

Correction for #12:

Cannot display ampersand in site title in the
Marinelli Theme for Drupal 7

Thx

serenecloud’s picture

Is there any security issue with removing check_plain from the theme?

cafuego’s picture

I'd think not, as the string is already filtered in theme.inc

If so, all themes that display the ampersand correctly (ie: that don't filter a second time) are a security issue :-)

amateescu’s picture

Component: Bartik theme » Minnelli theme

So this is not a Bartik issue.

montesq’s picture

Project: Drupal core » Marinelli
Version: 7.0 » 7.x-3.0-beta6
Component: Minnelli theme » Code
Status: Needs review » Postponed (maintainer needs more info)

According to #12 this issue is not related to drupal core...

cafuego’s picture

Project: Marinelli » Drupal core
Version: 7.x-3.0-beta6 » 6.20
Component: Code » Garland theme
Status: Postponed (maintainer needs more info) » Needs review

Rather than continuously and uselessly changing the issue meta info, how about we leave it on Garland/D6 with a patch that actually works and just needs someone to test it.

If you keep fiddling with it, a maintainer will NOT look at this issue and the patch will NOT go in.

The issue no longer exists in the D7 version of the Garland theme.

cafuego’s picture

StatusFileSize
new1.63 KB
RedRat’s picture

Status: Needs review » Reviewed & tested by the community

This patch definitely works out problem of ampersands in the site name and slogan. Should we mark this issue as "tested by community"?

gábor hojtsy’s picture

Status: Reviewed & tested by the community » Needs work

I don't think this is a good solution. Unfortunately the check_plains() seem to be rather important to not break the text that is used in title and alt attributes of the home page link / logo. If we remove the check_plain()s it would break HTML via those attributes in certain cases. The site name and slogan are certainly supposed to support HTML markup, at least that is what I read from the code (we use filter_xss_admin() on them, not escaping). So it should be possible to use any valid markup there, which would break the title and alt attributes.

I've also asked people in the security team to take a look. My initial feeling is that we should separate escaping for the title and alt attribute and for the eventual site name output.

damien tournoud’s picture