Closed (duplicate)
Project:
Drupal core
Version:
6.20
Component:
Garland theme
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
22 Jul 2009 at 18:30 UTC
Updated:
14 Apr 2011 at 09:43 UTC
Jump to comment: Most recent file
Comments
Comment #1
jmenz commentedThis appears to be a theme issue - occurs with Garland and Minnelli only so I'll change the settings accordingly. I was having the same trouble but tried switching themes and these two were the only ones with the problem amongst the standard themes included in Drupal 6.13.
I'm guessing that at one point the system didn't escape ampersands in headings so these two themes patched that issue by escaping them - now the system does escape it and the theme escapes it again resulting in & being output in the code and & showing in the rendered text.
A related issue (system?) is that ampersands in site names aren't escaped when printed to the title tag in any of the standard themes, which results in a validation warning. http://drupal.org/node/535240
Comment #2
grendzy commentedsee #461938: Core should consistently filter_xss_admin() on $site_slogan and check_plain $site_name
Comment #3
cafuego commentedIssue #461938: Core should consistently filter_xss_admin() on $site_slogan and check_plain $site_name seems to have morphed into a giant patch that doesn't in fact address the problem in Garland on D6.
Attached patch removes the check_plain() calls from the Garland page.tpl.php and maintenance-page.tpl.php files, so the site_name and site_slogan — which are pulled though xss_filter_admin() in theme.inc — aren't escaped again in the theme, leading to such joy as
&Comment #5
cafuego commentedRe-test.
Comment #7
cafuego commentedI dunno what the test bot is applying it to (D7? but it works totally fine on D6.17 here :-P
Comment #8
cafuego commentedOk then. Brain fail. Renamed patch file, so the test bot doesn't go and test it against D7.
Comment #9
pree93 commentedI tested this issue using Mozilla Firefox 3.6.13 and I applied the patch in comment 8, 527776-D6.patch and found that it fixed the problem with the ampersand.
I am using the following:
Drupal 6.20
Apache2
Postgresql 8.4
Comment #10
ashmiler commentedI have reproduced the problem that the original submitter had. I then applied the patch from comment #8 and found that it fixed the bug. I ran the patch in Chromium 8.0.552.224 on Drupal 6.20 while running Postgresql 8.4.
Comment #11
webster. commentedI also reproduced the issue that the original submitter had . I applied the #8 patch and it appears to have fixed the bug changing the display in the site title from '& ;' to '&' (:
Firefox 3.6.13
Drupal 6.20
Postgresql 8.4
(:
Comment #12
lyd commentedI have the same problem but in the Miranelli Theme for Drupal 7.
The Bartik Theme for Drupal 7 works fine.
Comment #13
lyd commentedCorrection for #12:
Cannot display ampersand in site title in the
Marinelli Theme for Drupal 7
Thx
Comment #14
serenecloud commentedIs there any security issue with removing check_plain from the theme?
Comment #15
cafuego commentedI'd think not, as the string is already filtered in theme.inc
If so, all themes that display the ampersand correctly (ie: that don't filter a second time) are a security issue :-)
Comment #16
amateescu commentedSo this is not a Bartik issue.
Comment #17
montesq commentedAccording to #12 this issue is not related to drupal core...
Comment #18
cafuego commentedRather than continuously and uselessly changing the issue meta info, how about we leave it on Garland/D6 with a patch that actually works and just needs someone to test it.
If you keep fiddling with it, a maintainer will NOT look at this issue and the patch will NOT go in.
The issue no longer exists in the D7 version of the Garland theme.
Comment #19
cafuego commentedComment #20
RedRat commentedThis patch definitely works out problem of ampersands in the site name and slogan. Should we mark this issue as "tested by community"?
Comment #21
gábor hojtsyI don't think this is a good solution. Unfortunately the check_plains() seem to be rather important to not break the text that is used in title and alt attributes of the home page link / logo. If we remove the check_plain()s it would break HTML via those attributes in certain cases. The site name and slogan are certainly supposed to support HTML markup, at least that is what I read from the code (we use filter_xss_admin() on them, not escaping). So it should be possible to use any valid markup there, which would break the title and alt attributes.
I've also asked people in the security team to take a look. My initial feeling is that we should separate escaping for the title and alt attribute and for the eventual site name output.
Comment #22
damien tournoud commentedDuplicate of #461938: Core should consistently filter_xss_admin() on $site_slogan and check_plain $site_name .