diff options
| -rw-r--r-- | includes/theme.inc | 6 | ||||
| -rw-r--r-- | modules/system/system.test | 48 | ||||
| -rw-r--r-- | themes/garland/maintenance-page.tpl.php | 4 | ||||
| -rw-r--r-- | themes/garland/template.php | 8 |
4 files changed, 53 insertions, 13 deletions
diff --git a/includes/theme.inc b/includes/theme.inc index ebee7255a..f8ebbffb7 100644 --- a/includes/theme.inc +++ b/includes/theme.inc @@ -2259,12 +2259,12 @@ function template_preprocess_html(&$variables) { // Construct page title. if (drupal_get_title()) { - $head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal')); + $head_title = array(strip_tags(drupal_get_title()), check_plain(variable_get('site_name', 'Drupal'))); } else { - $head_title = array(variable_get('site_name', 'Drupal')); + $head_title = array(check_plain(variable_get('site_name', 'Drupal'))); if (variable_get('site_slogan', '')) { - $head_title[] = variable_get('site_slogan', ''); + $head_title[] = filter_xss_admin(variable_get('site_slogan', '')); } } $variables['head_title'] = implode(' | ', $head_title); diff --git a/modules/system/system.test b/modules/system/system.test index 30ba087ef..480d322e4 100644 --- a/modules/system/system.test +++ b/modules/system/system.test @@ -869,7 +869,7 @@ class PageTitleFiltering extends DrupalWebTestCase { public static function getInfo() { return array( 'name' => 'HTML in page titles', - 'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title().', + 'description' => 'Tests correct handling or conversion by drupal_set_title() and drupal_get_title() and checks the correct escaping of site name and slogan.', 'group' => 'System' ); } @@ -880,7 +880,7 @@ class PageTitleFiltering extends DrupalWebTestCase { function setUp() { parent::setUp(); - $this->content_user = $this->drupalCreateUser(array('create page content', 'access content')); + $this->content_user = $this->drupalCreateUser(array('create page content', 'access content', 'administer themes', 'administer site configuration')); $this->drupalLogin($this->content_user); $this->saved_title = drupal_get_title(); } @@ -911,8 +911,8 @@ class PageTitleFiltering extends DrupalWebTestCase { // Generate node content. $langcode = LANGUAGE_NONE; $edit = array( - "title" => '!SimpleTest! ' . $title . $this->randomName(20), - "body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200), + "title" => '!SimpleTest! ' . $title . $this->randomName(20), + "body[$langcode][0][value]" => '!SimpleTest! test body' . $this->randomName(200), ); // Create the node with HTML in the title. $this->drupalPost('node/add/page', $edit, t('Save')); @@ -922,6 +922,46 @@ class PageTitleFiltering extends DrupalWebTestCase { $this->drupalGet("node/" . $node->nid); $this->assertText(check_plain($edit["title"]), 'Check to make sure tags in the node title are converted.'); } + /** + * Test if the title of the site is XSS proof. + */ + function testTitleXSS() { + // Set some title with JavaScript and HTML chars to escape. + $title = '</title><script type="text/javascript">alert("Title XSS!");</script> & < > " \' '; + $title_filtered = check_plain($title); + + $slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>'; + $slogan_filtered = filter_xss_admin($slogan); + + // Activate needed appearance settings. + $edit = array( + 'toggle_name' => TRUE, + 'toggle_slogan' => TRUE, + 'toggle_main_menu' => TRUE, + 'toggle_secondary_menu' => TRUE, + ); + $this->drupalPost('admin/appearance/settings', $edit, t('Save configuration')); + + // Set title and slogan. + $edit = array( + 'site_name' => $title, + 'site_slogan' => $slogan, + ); + $this->drupalPost('admin/config/system/site-information', $edit, t('Save configuration')); + + // Load frontpage. + $this->drupalGet(''); + + // Test the title. + $this->assertNoRaw($title, 'Check for the unfiltered version of the title.'); + // Adding </title> so we do not test the escaped version from drupal_set_title(). + $this->assertRaw($title_filtered . '</title>', 'Check for the filtered version of the title.'); + + // Test the slogan. + // Currently Garland is not displaying the slogan so this test is escaped. + $this->assertNoRaw($slogan, 'Check for the unfiltered version of the slogan.'); + $this->assertRaw($slogan_filtered, 'Check for the filtered version of the slogan.'); + } } /** diff --git a/themes/garland/maintenance-page.tpl.php b/themes/garland/maintenance-page.tpl.php index 0a4e077ce..97120d5b0 100644 --- a/themes/garland/maintenance-page.tpl.php +++ b/themes/garland/maintenance-page.tpl.php @@ -35,10 +35,10 @@ // Prepare header $site_fields = array(); if ($site_name) { - $site_fields[] = check_plain($site_name); + $site_fields[] = $site_name; } if ($site_slogan) { - $site_fields[] = check_plain($site_slogan); + $site_fields[] = $site_slogan; } $site_title = implode(' ', $site_fields); if ($site_fields) { diff --git a/themes/garland/template.php b/themes/garland/template.php index f25b13cc2..975bc55f5 100644 --- a/themes/garland/template.php +++ b/themes/garland/template.php @@ -96,10 +96,10 @@ function garland_preprocess_page(&$vars) { // Prepare header. $site_fields = array(); if (!empty($vars['site_name'])) { - $site_fields[] = check_plain($vars['site_name']); + $site_fields[] = $vars['site_name']; } if (!empty($vars['site_slogan'])) { - $site_fields[] = check_plain($vars['site_slogan']); + $site_fields[] = $vars['site_slogan']; } $vars['site_title'] = implode(' ', $site_fields); if (!empty($site_fields)) { @@ -108,8 +108,8 @@ function garland_preprocess_page(&$vars) { $vars['site_html'] = implode(' ', $site_fields); // Set a variable for the site name title and logo alt attributes text. - $slogan_text = filter_xss_admin(variable_get('site_slogan', '')); - $site_name_text = filter_xss_admin(variable_get('site_name', 'Drupal')); + $slogan_text = $vars['site_slogan']; + $site_name_text = $vars['site_name']; $vars['site_name_and_slogan'] = $site_name_text . ' ' . $slogan_text; } |