hi,

i faced a situation where an ampersand character was used as part of the site name and the site slogan.

it turns out that the content of the $head_title contained un-escaped html characters and most of the time $head_title ends up being printed as the page title in the html header by <?php print $head_title ?> in page.tpl.php files

what do you think ?

CommentFileSizeAuthor
#2 theme.inc_.check_plain.patch836 bytesguardian
#2 theme.maintenance.inc_.check_plain.patch858 bytesguardian
theme.maintenance.inc_.check_plain.patch690 bytesguardian

Comments

guardian’s picture

guardian commented
Status: Active » Needs review
guardian’s picture

guardian commented
StatusFileSize
new theme.maintenance.inc_.check_plain.patch858 bytes
new theme.inc_.check_plain.patch836 bytes

new patches

grendzy’s picture

grendzy commented
Status: Needs review » Closed (duplicate)

see #461938: Core should consistently filter_xss_admin() on $site_slogan and check_plain $site_name