- Patch #461938 by Kars-T, Garrett Albright, JamesAn, grendzy: fixed inconsistent use of filter_xss_admin() on () and ().

1 files changed, 44 insertions, 4 deletions

diff --git a/modules/system/system.test b/modules/system/system.test
index 30ba087ef..480d322e4 100644
--- a/modules/system/system.test
+++ b/modules/system/system.test
@@ -869,7 +869,7 @@ class PageTitleFiltering extends DrupalWebTestCase {
   public static function getInfo() {
     return array(
       'name' => 'HTML in page titles',
-      'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title().',
+      'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title() and checks the correct escaping of site name and slogan.',
       'group' => 'System'
     );
   }
@@ -880,7 +880,7 @@ class PageTitleFiltering extends DrupalWebTestCase {
   function setUp() {
     parent::setUp();
 
-    $this->content_user = $this->drupalCreateUser(array('create page content', 'access content'));
+    $this->content_user = $this->drupalCreateUser(array('create page content', 'access content', 'administer themes', 'administer site configuration'));
     $this->drupalLogin($this->content_user);
     $this->saved_title = drupal_get_title();
   }
@@ -911,8 +911,8 @@ class PageTitleFiltering extends DrupalWebTestCase {
     // Generate node content.
     $langcode = LANGUAGE_NONE;
     $edit = array(
-     "title" => '!SimpleTest! ' . $title . $this->randomName(20),
-     "body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200),
+      "title" => '!SimpleTest! ' . $title . $this->randomName(20),
+      "body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200),
     );
     // Create the node with HTML in the title.
     $this->drupalPost('node/add/page', $edit, t('Save'));
@@ -922,6 +922,46 @@ class PageTitleFiltering extends DrupalWebTestCase {
     $this->drupalGet("node/" . $node->nid);
     $this->assertText(check_plain($edit["title"]), 'Check to make sure tags in the node title are converted.');
   }
+  /**
+   * Test if the title of the site is XSS proof.
+   */
+  function testTitleXSS() {
+    // Set some title with JavaScript and HTML chars to escape.
+    $title = '</title><script type="text/javascript">alert("Title XSS!");</script> & < > " \' ';
+    $title_filtered = check_plain($title);
+
+    $slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
+    $slogan_filtered = filter_xss_admin($slogan);
+
+    // Activate needed appearance settings.
+    $edit = array(
+      'toggle_name'           => TRUE,
+      'toggle_slogan'         => TRUE,
+      'toggle_main_menu'      => TRUE,
+      'toggle_secondary_menu' => TRUE,
+    );
+    $this->drupalPost('admin/appearance/settings', $edit, t('Save configuration'));
+
+    // Set title and slogan.
+    $edit = array(
+      'site_name'    => $title,
+      'site_slogan'  => $slogan,
+    );
+    $this->drupalPost('admin/config/system/site-information', $edit, t('Save configuration'));
+
+    // Load frontpage.
+    $this->drupalGet('');
+
+    // Test the title.
+    $this->assertNoRaw($title, 'Check for the unfiltered version of the title.');
+    // Adding </title> so we do not test the escaped version from drupal_set_title().
+    $this->assertRaw($title_filtered . '</title>', 'Check for the filtered version of the title.');
+
+    // Test the slogan.
+    // Currently Garland is not displaying the slogan so this test is escaped.
+    $this->assertNoRaw($slogan, 'Check for the unfiltered version of the slogan.');
+    $this->assertRaw($slogan_filtered, 'Check for the filtered version of the slogan.');
+  }
 }
 
 /**