Index: includes/bootstrap.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v
retrieving revision 1.145.2.13
diff -u -p -r1.145.2.13 bootstrap.inc
--- includes/bootstrap.inc	14 Jan 2009 19:12:27 -0000	1.145.2.13
+++ includes/bootstrap.inc	30 Apr 2009 00:29:00 -0000
@@ -725,6 +725,8 @@ function request_uri() {
       $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING'];
     }
   }
+  // Prevent multiple slashes to avoid cross site requests via the FAPI.
+  $uri = '/'. ltrim($uri, '/');
 
   return $uri;
 }
Index: includes/common.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/common.inc,v
retrieving revision 1.611.2.22
diff -u -p -r1.611.2.22 common.inc
--- includes/common.inc	16 Jan 2009 19:26:09 -0000	1.611.2.22
+++ includes/common.inc	30 Apr 2009 00:29:00 -0000
@@ -152,6 +152,15 @@ function drupal_get_headers() {
 }
 
 /**
+ * Make any final alterations to the rendered xhtml.
+ */
+function drupal_final_markup($content) {
+  // Make sure that the charset is always specified as the first element of the
+  // head region to prevent encoding-based attacks.
+  return preg_replace('/<head[^>]*>/i', "\$0\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />", $content, 1);
+}
+
+/**
  * Add a feed URL for the current page.
  *
  * @param $url
Index: includes/theme.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/theme.inc,v
retrieving revision 1.337.2.7
diff -u -p -r1.337.2.7 theme.inc
--- includes/theme.inc	5 Dec 2008 22:32:50 -0000	1.337.2.7
+++ includes/theme.inc	30 Apr 2009 00:29:00 -0000
@@ -168,7 +168,12 @@ function theme() {
     $functions[$function] = theme_get_function($function);
   }
   if ($functions[$function]) {
-    return call_user_func_array($functions[$function], $args);
+    $output = call_user_func_array($functions[$function], $args);
+    // Add final markup to the full page.
+    if ($function == 'page') {
+      $output = drupal_final_markup($output);
+    }
+    return $output;
   }
 }
 
Index: themes/bluemarine/page.tpl.php
===================================================================
RCS file: /cvs/drupal/drupal/themes/bluemarine/Attic/page.tpl.php,v
retrieving revision 1.20
diff -u -p -r1.20 page.tpl.php
--- themes/bluemarine/page.tpl.php	30 Aug 2006 07:37:13 -0000	1.20
+++ themes/bluemarine/page.tpl.php	30 Apr 2009 00:29:00 -0000
@@ -2,8 +2,8 @@
 <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language ?>" xml:lang="<?php print $language ?>">
 
 <head>
-  <title><?php print $head_title ?></title>
   <?php print $head ?>
+  <title><?php print $head_title ?></title>
   <?php print $styles ?>
   <?php print $scripts ?>
   <script type="text/javascript"><?php /* Needed to avoid Flash of Unstyle Content in IE */ ?> </script>
Index: themes/chameleon/chameleon.theme
===================================================================
RCS file: /cvs/drupal/drupal/themes/chameleon/Attic/chameleon.theme,v
retrieving revision 1.56.2.2
diff -u -p -r1.56.2.2 chameleon.theme
--- themes/chameleon/chameleon.theme	31 May 2007 06:13:36 -0000	1.56.2.2
+++ themes/chameleon/chameleon.theme	30 Apr 2009 00:29:00 -0000
@@ -39,8 +39,8 @@ function chameleon_page($content, $show_
   $output  = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n";
   $output .= "<html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"$language\" xml:lang=\"$language\">\n";
   $output .= "<head>\n";
-  $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
   $output .= drupal_get_html_head();
+  $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
   $output .= drupal_get_css();
   $output .= drupal_get_js();
   $output .= "</head>";
Index: themes/garland/page.tpl.php
===================================================================
RCS file: /cvs/drupal/drupal/themes/garland/page.tpl.php,v
retrieving revision 1.5
diff -u -p -r1.5 page.tpl.php
--- themes/garland/page.tpl.php	14 Dec 2006 00:37:00 -0000	1.5
+++ themes/garland/page.tpl.php	30 Apr 2009 00:29:00 -0000
@@ -2,8 +2,8 @@
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language ?>" lang="<?php print $language ?>">
   <head>
-    <title><?php print $head_title ?></title>
     <?php print $head ?>
+    <title><?php print $head_title ?></title>
     <?php print $styles ?>
     <?php print $scripts ?>
     <style type="text/css" media="print">@import "<?php print base_path() . path_to_theme() ?>/print.css";</style>
Index: themes/pushbutton/page.tpl.php
===================================================================
RCS file: /cvs/drupal/drupal/themes/pushbutton/Attic/page.tpl.php,v
retrieving revision 1.16
diff -u -p -r1.16 page.tpl.php
--- themes/pushbutton/page.tpl.php	30 Aug 2006 07:37:14 -0000	1.16
+++ themes/pushbutton/page.tpl.php	30 Apr 2009 00:29:00 -0000
@@ -1,9 +1,9 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language ?>" xml:lang="<?php print $language ?>">
 <head>
-  <title><?php print $head_title ?></title>
   <meta http-equiv="Content-Style-Type" content="text/css" />
   <?php print $head ?>
+  <title><?php print $head_title ?></title>
   <?php print $styles ?>
   <?php print $scripts ?>
 </head>