(just FYI, this was cleared by the security team for the public issue queue).
Problem
In this function: http://api.drupal.org/api/function/template_preprocess_page/6
$site_slogan and $site_name are not checked by filter_xss_admin(), though $footer_message and $mission are.
Oddly, Garland's page.tpl.php uses check_plain($site_slogan), but Pushbutton does not. It's likely that most contrib themes do not check these variables (zen doesn't).
It is still a problem in D7 and D8. The problem can be seen if you set the site name to a &
b. In some places it is displayed as a &
b and in some places as a & b.
Proposed resolution
http://drupal.org/files/site-name-slogan-follow-up-8.patch
Remaining tasks
Committed to 8.x, D7 backport in #107 needs review.
User interface changes
n/a
API changes
n/a
Comment | File | Size | Author |
---|---|---|---|
#107 | Inconsistent-use-of-filter_xss_admin-461938-107.patch | 6.01 KB | afeijo |
#104 | Inconsistent-use-of-filter_xss_admin-461938-104.patch | 5.25 KB | afeijo |
#94 | 461938-94.patch | 5.41 KB | dsdeiz |
#92 | 461938-92.patch | 3.89 KB | dsdeiz |
#85 | site-name-slogan-follow-up-8.patch | 5.57 KB | c960657 |
Comments
Comment #1
JamesAn CreditAttribution: JamesAn commentedHere's the HEAD and 6.x-dev patches.
Comment #2
catchLooks good, footer and mission are gone in D7 but this looks like a backport to D6 as well.
Comment #4
lilou CreditAttribution: lilou commentedSetting to previous status - testbot was broken.
Comment #5
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Moving to D6.
Comment #6
JamesAn CreditAttribution: JamesAn commentedThe D6 patch was included as well and the changes are identical. Ready for commit?
Comment #7
Gábor HojtsyCommitted to Drupal 6, thanks!
Comment #9
grendzy CreditAttribution: grendzy commentedwhoops... we missed a few spots in $head_title. Follow-up patch is attached. BTW this seems to be the cause of a number of issues with using an ampersand in site_name.
#535240: Ampersands in site name are not escaped in title tag
#527776: Cannot display ampersand in site title
#167176: ampersand in site title not transformed to HTML leads to invalid html code
#371975: &s and other entities
#258137: $head_title construction lacks check_plain calls
Comment #10
Kars-T CreditAttribution: Kars-T commentedApplied the patch and my D7 HEAD did still function. I added some &%$§ to the head and it works. From the code I'd say its okay.
Comment #11
webchickCool, let's get some tests for this please.
Comment #12
Kars-T CreditAttribution: Kars-T commentedOkay the test seems quiet easy to me. I just enter some markup for the title like "###< / title > ###". Without the patch the html is broken. With this patch I can check for the escaped string inside the real < title > and everything is fine. Done this by hand and it testable.
But I have a question before I go coding this as I am new to writing tests for core:
Where should it go to?
Is there already a testcase it can be added or should this go in a new file to setup where?
And one more thing just appeared to me:
I thought slogan is now a block? If I activate "slogan" in Garland as this is patched by this patch as well it is added to the site like it was in D6? I mean this is a problem about writing the test. Should I add the slogan block or just activate garlands settings?
Comment #13
Kars-T CreditAttribution: Kars-T commentedThanks to stBorchert I figured that I should put this into system.test. So I made a little test to check if site name and slogan are escaped correctly. And I reworked the patch to latest HEAD.
Comment #15
Kars-T CreditAttribution: Kars-T commentedwrong path...
Comment #16
grendzy CreditAttribution: grendzy commentedLooks good to me. Thanks for the tests.
Comment #17
grendzy CreditAttribution: grendzy commentedComment #19
Kars-T CreditAttribution: Kars-T commentedReroll against latest HEAD.
Comment #20
grendzy CreditAttribution: grendzy commentedlooks good.
Comment #21
webchickI believe we want filter_xss_admin() instead, since these values are entered by the administrator.
Also, could you please add a line of PHPDoc to:
Comment #22
grendzy CreditAttribution: grendzy commentedwebchick: The reason filter_xss_admin isn't used is that tags aren't allowed in the <title>. My patch in #9 actually used
filter_xss(variable_get('site_name', 'Drupal'), array())
. It looks like Kars-T removed the array(). I hadn't noticed that, so I'm glad you caught it.Now that raises the obvious question, why not just use check_plain, or strip_tags?
Check plain escapes tags, so isn't suitable if we allow HTML in site_name. (I think a good argument can be made that HTML shouldn't be allowed at all, since site_name is used in e-mail and other places.) However past versions (at least back to 4.7 I think) have allowed HTML, so I expect some users would see this as a regression.
Ok, so what about strip_tags? strip_tags won't entify ampersands, which is part of what got this whole issue started. If you put & directly in your site_name, then you'll get email like "An administrator created an account for you at stuff & things." (Which I suppose is an argument against allowing HTML here).
So, #9 was intended as a compromise for to accommodate both situations. What do you think? Should we go to check_plain?
Comment #23
Kars-T CreditAttribution: Kars-T commentedfilter_xss_admin() for slogan and check_plain() for the site_name? If Garland did this before for site_name and it did workout why don't keep this behavior?
Otherwise I fear we would need more context where and why site_name is used or split it up in different variables. Both not really desirable to me.
Comment #24
grendzy CreditAttribution: grendzy commentedFair enough. Kars-T, if you're willing to update the patch I'll do another review. Also, regarding the test:
You could probably shrink it a bit by using variable_set('site_name', 'foo'). I don't think you really need to go through the admin form. Could you also add a test that includes an ampersand in the site name, since there are a number of bug reports for that specifically? Thanks!
Comment #25
Kars-T CreditAttribution: Kars-T commentedSure will do probably tomorrow :)
Comment #26
Kars-T CreditAttribution: Kars-T commentedI currently can't test the slogan with garland.
#602372: $site_slogan no longer used in page.tpl.php
I don't know if changing the default theme to stark during the test is an appreciated thing to do. Should tests always use garland?
Comment #27
Garrett Albright CreditAttribution: Garrett Albright commentedD6 patch attached.
Comment #28
grendzy CreditAttribution: grendzy commentedGarrett: can we keep the backport tag until the version is changed (i.e. the 7.x fix is committed) ? Also per #23 I think we're going ahead with check_plain for site_name.
Kars-T: I would go ahead with the patch, and don't worry about changing the theme. If slogan isn't testable I think we can live with that.
Comment #29
Garrett Albright CreditAttribution: Garrett Albright commentedOkay, here's a patch that uses check_plain() for $site_name.
Incidentally, I ran into this problem when I ran into the ampersand issue as in #9.
Comment #30
Kars-T CreditAttribution: Kars-T commentedNew Patch against latest HEAD.
As discussed site_name is check_plain() and slogan filter_xss_admin(). The test for the slogan is escaped right now. And I did add a short comment.
Why is this tagged with Minelli as it just adds CSS and no tpl files or do I miss something?
Comment #31
joachim CreditAttribution: joachim commentedTested the patch in #29 on D6. Confirming it fixes the double-escaping of characters such as '&' in site titles in Garland.
Comment #32
mcrittenden CreditAttribution: mcrittenden commentedRemoving Minnelli tag since Garland and Minnelli have been merged into one theme now, and bumping to normal (since a lot of sites want to use ampersands in their site name).
Patch in #30 works for me. Anybody else care to RTBC?
Comment #33
joachim CreditAttribution: joachim commentedPatch in #30 works on D7 from CVS (with offsets).
RTBC.
Tagging with DrupalWTF, because, really, not managing to get a plain old ampersand in a site name is an embarrassment.
Comment #34
Kars-T CreditAttribution: Kars-T commentedSetting this back to "needs work" as it just came in from #602372: $site_slogan no longer used in page.tpl.php that garland now uses filter_xss_admin in template.php.
I believe we could ignore that the variables are filtered twice but lets get this clean once and for all.
Comment #35
Kars-T CreditAttribution: Kars-T commentedThis Garland Patch did add more use of filter_xss_admin() and did access the variables site_name and site_slogan directly. But finally we can check slogan within Garland again.
I did change this to $vars['site_slogan']; and $vars['site_name']; so we use the globally filtered versions.
Now the patch runs fine again and tests if slogan and title are XSS proof.
Comment #36
Kars-T CreditAttribution: Kars-T commentedDid use wrong path for patch resubmitting.
Comment #37
effulgentsia CreditAttribution: effulgentsia commentedsubscribing
Comment #38
grendzy CreditAttribution: grendzy commentedlooks good!
Comment #39
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks.
Comment #40
joachim CreditAttribution: joachim commentedLet's backport this to 6 -- the patch from #29 worked on 6 when I tested it in December.
Comment #41
grendzy CreditAttribution: grendzy commentedyep, +1. #29 still applies.
Comment #42
c960657 CreditAttribution: c960657 commentedThe patch omitted some occurrences. This fixes a bunch of them, including when site_name is used in mails (e.g. the lost password mail).
Comment #43
markabur CreditAttribution: markabur commentedLooks good, could be rtbc, though I see that aggregator.pages.inc has a check_plain that's no longer necessary? Separate issue?
Comment #44
c960657 CreditAttribution: c960657 commented@markabur: Which check_plain() in that function is not necessary?
Comment #45
markabur CreditAttribution: markabur commentedI was looking at the one wrapping the site_name:
check_plain(variable_get('site_name', 'Drupal'))
Isn't it already plain by this point?
Comment #46
c960657 CreditAttribution: c960657 commentedThe site_name variable contains the raw unescaped string. So we should always pass it through check_plain() when outputting it in HTML or XML.
Comment #47
markabur CreditAttribution: markabur commentedOk, I see. I was thinking that template_preprocess_page was affecting site_name there.
Comment #48
sunCross-linking #655742: HTML HEAD title cannot be safely output differently - looks like I didn't caught maintenance page preprocessing over there.
Comment #49
meba CreditAttribution: meba commentedsubscribe.
@sun is this needs work then?
Comment #50
sunNope, all fine (although I didn't do an in-depth review). Sorry for the confusion.
Comment #51
Dries CreditAttribution: Dries commentedWhy this change? Looks odd.
This patch is pretty hard to review which suggest something is wrong -- we need to figure out how to simplify this in D8 or so.
Comment #52
sunYes, that change is wrong. Mails are HTML by default in D7 and may be converted to plain-text prior to sending by the mail engine only.
Comment #53
c960657 CreditAttribution: c960657 commentedSubjects are always just plain-text AFAICT, but the output from _user_mail_text() is HTML-like.
This patch uses a slightly different approach. It adds a new argument to _user_mail_text() that tells whether to output in HTML or plain-text. system_tokens() is adjusted to convert site_slogan to plain-text when $options['sanitize'] is FALSE. I assume the intention behind the 'sanitize' option for token_replace() is to determine, whether the tokens should be formatted as HTML or as plain-text. It also removes a few occurrences of site_mission that were a left-over from #428800: Convert mission statements to a region with blocks.
Comment #54
sunWhen not sanitizing, the value should be returned as-is. @see http://api.drupal.org/api/function/token_replace/7
Why do we remove the [site:mission] token?
This looks wonky, but the more I think about it, the more I think it's correct.
The mail body should be HTML, which means that we need to sanitize it. When sending plain-text mails, the mail engine will invoke drupal_html_to_text(), which in turn will convert all HTML to plain-text.
The mail subject only seems to be processed via http://api.drupal.org/api/function/mime_header_encode/7 in DefaultMailSystem::mail(), which also makes me wonder whether we're not missing some fundamental sanitation for security here. Why don't we sanitize the subject here?
At the very least, we need to explain this with inline comments for each message element here.
96 critical left. Go review some!
Comment #55
c960657 CreditAttribution: c960657 commentedIsn't that a weird/useless/dangerous behaviour? If I replace tokens without sanitation, and the tokens are inserted as-is, I wouldn't know which format the output string is. Some tokens are HTML (e.g. site_slogan) and some are plain-text (e.g. site_name), and they are all inserted into the same string that would become some undefined mix of HTML and plain-text. I cannot just pass the output string through check_plain() or filter_xss() without changing the meaning of the string.
I think there may be two meaningful behaviours of 'sanitize' == FALSE: Either 1) the output is supposed to be plain-text, i.e. with no entites or tags, or 2) the output is supposed to be unsanitized HTML, i.e. site_name should still be check_plain()'ed. We can always derive the plain-text version from the sanitized or unsanitized HTML versions using decode_entities(strip_tags()). We cannot derive the unsanitized version from the sanitized, so perhaps we should stick with option 2?
site_mission was removed in #428800: Convert mission statements to a region with blocks. This is just a left-over.
Mail subjects are plain-text. Mail clients do not interpret subjects as HTML, so they shouldn't be escaped used check_plain().
Comment #56
sunGood thinking. 2) makes more sense to me. Exceeds my horizon, even though I heavily reviewed + approved the token-in-core patch. We likely need to pull eaton into this issue. And, we likely need to review all other token replacements.
As this might have security implications, bumping to critical.
Comment #57
c960657 CreditAttribution: c960657 commentedThis patch implements option 2).
Comment #58
c960657 CreditAttribution: c960657 commentedComment #59
effulgentsia CreditAttribution: effulgentsia commentedRe #56:
Adding the tag too, in that case.
Comment #60
catchI saw a filter.module hunk in another issue dealing with this, which isn't included here - I think we should do all these at once.
This isn't an exploitable security issue, because both of those require 'administer site configuration', which already lets you take over the site, see http://drupal.org/Security-announcements-process-policy. So not a release blocker, but should still be fixed for consistency.
Comment #62
Fogg CreditAttribution: Fogg commented+1 for the D6 backport. this is embarrasing that a simple ampersand will not show correctly....
Comment #63
chriscohen CreditAttribution: chriscohen commentedAnother +1 for the D6 backport. Ampersands are found everywhere in English, at least. It's frustrating not to be able to use them.
Comment #64
Dave ReidComment #65
c960657 CreditAttribution: c960657 commentedReroll + updated documentation in system.api.php and token.inc.
Comment #66
Dave ReidI don't really agree with the changes to token behavior at this late in the game.
Comment #67
c960657 CreditAttribution: c960657 commentedThis is a patch without the token changes.
I'll file a separate issue for the token stuff. I hope that we can fix both, though.
Comment #68
sunIn that case, we need to move all available discussion around #55 into a separate issue, which should be critical. What has been described above sounds like a violation of the safe string theory for the web.
Comment #69
c960657 CreditAttribution: c960657 commentedI filed #974782: Resulting string format of token_replace(..., array('sanitize' => FALSE)) is undefined about the token issue.
Comment #70
c960657 CreditAttribution: c960657 commentedReroll.
Comment #71
sunI don't understand this change.
Powered by Dreditor.
Comment #72
c960657 CreditAttribution: c960657 commented$site_name_and_slogan is only used inside attributes of an tag where HTML tags are not allowed:
Comment #73
sunLet's do the strip_tags() as well as check_plain() here instead;i.e.:
$slogan_text = check_plain(strip_tags($vars['site_slogan']));
$site_name_text is already check_plain()'ed, so it doesn't contain any tags.
Powered by Dreditor.
Comment #74
c960657 CreditAttribution: c960657 commentedDone.
I also added strip_tags() arround filter_xss_admin() at to the two occurences of the following line (because we cannot have tags in the <title> element):
Comment #75
sunWe need a wrapping check_plain() here, because it is going to be output in an HTML attribute.
Powered by Dreditor.
Comment #76
c960657 CreditAttribution: c960657 commented$vars['site_slogan'] has been passed through filter_xss_admin() in template_preprocess_page(), so it contains sanitized HTML with tags and valid entities. Calling strip_tags() removes the tags but preserves the entities. Wrapping it in check_plain() would double-encode the entities, and we don't want that. Right?
Comment #77
c960657 CreditAttribution: c960657 commentedReroll.
Comment #78
joachim CreditAttribution: joachim commentedIs this actually still a problem on D7?
I just tried setting my site name to 'D7 & co' and it worked fine -- ampersands being the prime example case for this bug.
(still needs fixing on D6 though)
Comment #79
iRex CreditAttribution: iRex commentedsubscribing
Comment #80
c960657 CreditAttribution: c960657 commentedYes, it is still a problem in D7 and D8. The problem can be seen if you set the site name to
a & b
. In some places it is displayed asa & b
and in some places asa & b
.Comment #81
c960657 CreditAttribution: c960657 commentedHere is a reroll for D8.
Comment #83
c960657 CreditAttribution: c960657 commentedComment #84
Cyberwolf CreditAttribution: Cyberwolf commentedSubscribing.
Comment #85
c960657 CreditAttribution: c960657 commentedReroll after #22336: Move all core Drupal files under a /core folder to improve usability and upgrades.
Comment #86
c960657 CreditAttribution: c960657 commented#85: site-name-slogan-follow-up-8.patch queued for re-testing.
Comment #87
c960657 CreditAttribution: c960657 commentedRaising severity because this bug makes us vulnerable to XSS (requires "administer site configuration" permission), see #1506408: Bartik maintenance page site_name/site_slogan vulernable to xss.
Comment #88
greggles@c960657 note that "administer site configuration" is on the list of permissions that are considered to be able to take over a site http://drupal.org/security-advisory-policy
Comment #89
Dave ReidLet's settle on major based on http://drupal.org/node/45111 and the fact that this requires an administrator to even input the XSS.
Comment #90
catch#85: site-name-slogan-follow-up-8.patch queued for re-testing.
Comment #91
tim.plunkettAlmost none of this applies now that #1496542: Convert site information to config system is in.
Should be a novice reroll.
Comment #92
dsdeiz CreditAttribution: dsdeiz commentedHi, trying my hands on this although I can't find where system.test is now.
Comment #93
Tor Arne Thune CreditAttribution: Tor Arne Thune commented@dsdeiz: The system test you are looking for is now found here:
core/modules/system/lib/Drupal/system/Tests/System/TokenReplaceTest.php
Comment #94
dsdeiz CreditAttribution: dsdeiz commentedAh cool. Thx!
Comment #95
ZenDoodles CreditAttribution: ZenDoodles commentedThis really needs a proper issue summary and STR... Meanwhile, I suggest referring to comments #12 and #80 for a starting place re: manual tests.
Comment #95.0
iflista CreditAttribution: iflista commentediflista
Comment #96
iflista CreditAttribution: iflista commented#1: 461938-1.patch queued for re-testing.
Comment #97
iflista CreditAttribution: iflista commented#1: 461938-1-D6.patch queued for re-testing.
Comment #97.0
iflista CreditAttribution: iflista commentediflista
Comment #97.1
iflista CreditAttribution: iflista commentediflista
Comment #97.2
iflista CreditAttribution: iflista commentedUpdated issue summary.
Comment #97.3
iflista CreditAttribution: iflista commentedUpdated issue summary.
Comment #97.4
iflista CreditAttribution: iflista commentedIssue summary updated.
Comment #98
sunI manually compared + reviewed the original #77 with the latest patch and the changes are still the same and valid.
The essential changes:
1) Any values output for the TITLE in HEAD must not contain HTML markup. (d'oh)
2) The site_name template variable is changed to consistently contain a escaped/sanitized string ready for output in HTML. The previous code used filter_xss_admin() in some but not all locations. But the site_name variable is first and foremost used to output it literally (or alternatively, in HTML attributes). With this patch, any theme that's doing unholy things with site_name needs to retrieve the original on its own.
3) The site_slogan variable was not escaped/sanitized at all for the maintenance page, but requires filter_xss_admin() at minimum. This means that any unholy SCRIPT and other stuff within the site slogan is stripped off.
4) The site:slogan token is adjusted accordingly. That one was more and actually too secure previously, as it used check_plain() instead of filter_xss_admin().
All of this makes sense.
The latest patch also applies cleanly, so we're ready to move forward.
FWIW, this doesn't look backportable to me.
Comment #99
sunSorry, I'm blatantly mistaken; the patch doesn't apply at all anymore. Massive havoc.
Comment #100
tim.plunkettNot putting back at RTBC, but #94 applies cleanly for me. Slight offset with patch -p1, no complaints from git apply.
Comment #101
sunJesus. Please ignore me! Applying the identical patch twice obviously leads to 100% rejects. ;) Back to RTBC. :)
Comment #102
Dries CreditAttribution: Dries commentedCommitted to 8.x. Thanks!
Comment #103
sunComment #104
afeijoI made the backport to d7, here it is the patch
Comment #106
sunThe change to D7's TokenReplaceTest is missing.
Furthermore:
This needs both filter_xss_admin() and strip_tags() -- please check the D8 patch.
As mentioned before, I'm really not sure whether we can backport this particular change.
This needs filter_xss_admin() only.
Comment #107
afeijoI added the missing part and changed the other sutff
Comment #108
sunComment #109
afeijo[edit] sorry, I posted on the wrong tab, my mistake
Comment #110
afeijoComment #110.0
afeijoiflista
Comment #110.1
star-szrUpdating remaining tasks
Comment #111
Elvar CreditAttribution: Elvar commentedI can confirm that sun's "Missing parts" is applied in afeijo patch.
I have applied it locally, no problem. Also i have ran simple test, and put the patch thought Drupal code sniffer, no issues.
Comment #112
David_Rothstein CreditAttribution: David_Rothstein commented@sun's comment in #106 ("I'm really not sure whether we can backport this particular change") doesn't seem to have been discussed or addressed yet.... And the code he refers to looks suspicious to me also. Someone might be calling check_plain() in a template file, so adding a new one here would cause things to be double-escaped.
Also, in general, it seems like this patch is going to enforce a "no HTML in site names" rule that wasn't enforced (or at least was only partially enforced) before? If I have a theme that prints
<h1 class="site-name">$site_name</h1>
at the top of the page and I expect $site_name to have some HTML in it, that seems reasonable and I don't see why we want to change that, especially in Drupal 7. In short, my issue here (and I think it applies to Drupal 8 too) is that it's not clear to me from reading this issue why $site_slogan is consistently gettingfilter_xss_admin()
called on it as part of this patch (andstrip_tags(filter_xss_admin())
when it's being output in places like<head>
) but $site_name is getting something different. Why is the site name fundamentally different from the site slogan?Comment #113
chriscohen CreditAttribution: chriscohen commentedI think there's two separate issues here:
Can we come up with a way of fixing #2 first and getting that into Drupal, and then decide if #1 is something that should be done, and if so, come up with a way of achieving that separately?
I joined this thread at #63 in June 2010, wanting to be able to put an ampersand in my site's title. It's a bit disheartening to see that a simple thing like that has taken more than 2 years and is still going!
Comment #114
disasm CreditAttribution: disasm commentedComment #115
catchMoving back to 8.x per #112 for more discussion.
Comment #116
heddn#107: Inconsistent-use-of-filter_xss_admin-461938-107.patch queued for re-testing.
Comment #118
heddnRemoving Novice tag until discussion and a decision is made.
Comment #119
gregglesI don't know why this is in 8.x queue. What is the outstanding question that affects 8.x? Moving to 7.x since I think that's resolved.
For 7.x I think the question/concern is that we might break contrib themes and a question of whether or not that's OK. In my opinion that's OK. It's why we have release notes :)
Comment #120
David_Rothstein CreditAttribution: David_Rothstein commentedBecause this patch introduced behaviors in Drupal 8 that appear to be a regression from Drupal 7...
You can reproduce this with Bartik (no contrib or custom theme needed) and the following site name (pathological example chosen to get all cases in here at once):
In Drupal 7, if you look at your site header (i.e. the primary place where your site name is displayed), it all works correctly. The word "HTML" is displayed italicized, the "&" displays as expected, and the script tags are filtered out to neutralize the XSS attack.
In Drupal 8, meanwhile, everything is escaped, and thus you can't have the word "HTML" italicized in your site name anymore.
We do need to standardize on something, but I think it's still very unclear why Drupal 8 is currently standardizing on check_plain() rather than filter_xss_admin() (and in particular why it's making the site name behave differently from the site slogan)... If that's really intentional, I guess this issue can go back to Drupal 7 (and maybe needs a Drupal 8 change notice?) but I'm still not clear on why filter_xss_admin() isn't being used for both of them.
For Drupal 7, it might not be possible to standardize on anything, but at a minimum we could do a patch that made sure nothing is ever unescaped (i.e., switched to filter_xss_admin() any places that currently are unescaped) and left everything else alone?
Comment #121
gregglesThanks for stating the questions/problems. That's also part of why why I changed the title of this issue to head toward a solution.
You call it a regression, I'm saying it's "Works as designed" since some of D6 did check_plain on the site_name and some of it didn't. It makes sense to me for the sitename to not contain html which is why it would get check_plained consistently.
If folks feel it should allow some html that's fine with me as well (if so, please update the title). I'd rather make a decision and move forward than let this fester. I don't see any harm in filter_xss_admin on site name as well and am totally willing to be persuaded.
Comment #121.0
gregglesAdjusting spacing
Comment #122
star-szrGoing to see if we can get some eyes on this over the weekend.
Comment #123
star-szrComment #124
star-szrThis issue has been stuck for a long time. Should we (if possible) split it into smaller pieces? It seems like there's a bit of a stalemate now.
Comment #125
joelpittet@Cottser, yes if you know some splits that can be made please do. > 100 comments and last patch in 2012, everything has changed a number of times over. Those functions in the patch don't exist anymore. Xss::adminFilter() and String::checkPlain are the replacements. And autoescape is now on, so all kinds of diff.
Comment #126
heddnMaybe a good split is to use consistency for these values by its location. For example,
<title>
in<head>
shouldn't have markup. But in other locations it is acceptable and sometimes (many times?) it is desired.Comment #127
cilefen CreditAttribution: cilefen commentedI just tested manually on 8.0.x with the string in #120 and the title and slogan are totally escaped in Bartik.
Comment #129
xjmSounds like maybe we should just move this issue to D7 since Twig autoescape fixed it for D8?
Comment #130
gregglesMakes sense to me, thanks for the suggestion xjm.
Comment #131
xjmThanks @greggles. Cleaning up the backport tags.