Omega does not properly escape the site_name variable when it uses it for the alt or title attributes in the $logo_img and $linked_logo_img template variables.

This means if a site_name has any html code in it, that rendering the logo image in the page could render undesired (eg xss) html codes.

Patch coming below.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jwilson3’s picture

Status: Active » Needs review
FileSize
7.59 KB

This patch also cleans up a bunch of whitespace issues in the template.php file.

fubhy’s picture

Status: Needs review » Fixed

Commited. Thanks

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.