Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Omega does not properly escape the site_name
variable when it uses it for the alt
or title
attributes in the $logo_img and $linked_logo_img template variables.
This means if a site_name has any html code in it, that rendering the logo image in the page could render undesired (eg xss) html codes.
Patch coming below.
Comment | File | Size | Author |
---|---|---|---|
#1 | omega-escape-sitename-in-logo-attributes-1395848.patch | 7.59 KB | jwilson3 |
Comments
Comment #1
jwilson3This patch also cleans up a bunch of whitespace issues in the
template.php
file.Comment #2
fubhy CreditAttribution: fubhy commentedCommited. Thanks