- Patch #461938 by c960657, Kars-T, Garrett Albright, dsdeiz, JamesAn,...

- Patch #461938 by c960657, Kars-T, Garrett Albright, dsdeiz, JamesAn, grendzy: Fixed inconsistent use of filter_xss_admin() on () and ().

core/includes/theme.inc

@@ -2485,7 +2485,7 @@ function template_preprocess_html(&$variables) {
   else {
     $head_title = array('name' => check_plain($site_config->get('name')));
     if ($site_config->get('slogan')) {
-      $head_title['slogan'] = filter_xss_admin($site_config->get('slogan'));
+      $head_title['slogan'] = strip_tags(filter_xss_admin($site_config->get('slogan')));
     }
   }
   $variables['head_title_array'] = $head_title;
@@ -2580,7 +2580,7 @@ function template_preprocess_page(&$variables) {
   $variables['main_menu']         = theme_get_setting('toggle_main_menu') ? menu_main_menu() : array();
   $variables['secondary_menu']    = theme_get_setting('toggle_secondary_menu') ? menu_secondary_menu() : array();
   $variables['action_links']      = menu_local_actions();
-  $variables['site_name']         = (theme_get_setting('toggle_name') ? filter_xss_admin($site_config->get('name')) : '');
+  $variables['site_name']         = (theme_get_setting('toggle_name') ? check_plain($site_config->get('name')) : '');
   $variables['site_slogan']       = (theme_get_setting('toggle_slogan') ? filter_xss_admin($site_config->get('slogan')) : '');
   $variables['tabs']              = menu_local_tabs();
 
@@ -2771,13 +2771,13 @@ function template_preprocess_maintenance_page(&$variables) {
   if (drupal_get_title()) {
     $head_title = array(
       'title' => strip_tags(drupal_get_title()),
-      'name' => $site_name,
+      'name' => check_plain($site_name),
     );
   }
   else {
-    $head_title = array('name' => $site_name);
+    $head_title = array('name' => check_plain($site_name));
     if ($site_slogan) {
-      $head_title['slogan'] = $site_slogan;
+      $head_title['slogan'] = strip_tags(filter_xss_admin($site_slogan));
     }
   }
 
@@ -2794,8 +2794,8 @@ function template_preprocess_maintenance_page(&$variables) {
   $variables['messages']          = $variables['show_messages'] ? theme('status_messages') : '';
   $variables['main_menu']         = array();
   $variables['secondary_menu']    = array();
-  $variables['site_name']         = (theme_get_setting('toggle_name') ? $site_name : '');
-  $variables['site_slogan']       = (theme_get_setting('toggle_slogan') ? $site_slogan : '');
+  $variables['site_name']         = (theme_get_setting('toggle_name') ? check_plain($site_name) : '');
+  $variables['site_slogan']       = (theme_get_setting('toggle_slogan') ? filter_xss_admin($site_slogan) : '');
   $variables['tabs']              = '';
   $variables['title']             = drupal_get_title();
 

core/modules/system/lib/Drupal/system/Tests/System/TokenReplaceTest.php

@@ -119,7 +119,7 @@ function testSystemSiteTokenReplacement() {
     // Generate and test sanitized tokens.
     $tests = array();
     $tests['[site:name]'] = check_plain(config('system.site')->get('name'));
-    $tests['[site:slogan]'] = check_plain(config('system.site')->get('slogan'));
+    $tests['[site:slogan]'] = filter_xss_admin(config('system.site')->get('slogan'));
     $tests['[site:mail]'] = 'simpletest@example.com';
     $tests['[site:url]'] = url('<front>', $url_options);
     $tests['[site:url-brief]'] = preg_replace(array('!^https?://!', '!/$!'), '', url('<front>', $url_options));

core/modules/system/system.tokens.inc

@@ -151,7 +151,7 @@ function system_tokens($type, $tokens, array $data = array(), array $options = a
 
         case 'slogan':
           $slogan = config('system.site')->get('slogan');
-          $replacements[$original] = $sanitize ? check_plain($slogan) : $slogan;
+          $replacements[$original] = $sanitize ? filter_xss_admin($slogan) : $slogan;
           break;
 
         case 'mail':

core/themes/bartik/template.php

@@ -54,7 +54,7 @@ function bartik_process_page(&$variables) {
   $variables['hide_site_slogan'] = theme_get_setting('toggle_slogan') ? FALSE : TRUE;
   if ($variables['hide_site_name']) {
     // If toggle_name is FALSE, the site_name will be empty, so we rebuild it.
-    $variables['site_name'] = filter_xss_admin($site_config->get('name'));
+    $variables['site_name'] = check_plain($site_config->get('name'));
   }
   if ($variables['hide_site_slogan']) {
     // If toggle_site_slogan is FALSE, the site_slogan will be empty, so we rebuild it.
@@ -102,7 +102,7 @@ function bartik_process_maintenance_page(&$variables) {
   $variables['hide_site_slogan'] = theme_get_setting('toggle_slogan') ? FALSE : TRUE;
   if ($variables['hide_site_name']) {
     // If toggle_name is FALSE, the site_name will be empty, so we rebuild it.
-    $variables['site_name'] = filter_xss_admin($site_config->get('name'));
+    $variables['site_name'] = check_plain($site_config->get('name'));
   }
   if ($variables['hide_site_slogan']) {
     // If toggle_site_slogan is FALSE, the site_slogan will be empty, so we rebuild it.