By davidlwatsonjr on

So I just installed drupal 7.10 and am playing around with it a bit. I changed my site name to david->writes('<drupal>');. What I got was david->writes('');. (I got the same thing when trying to post this message, as I figured I might. Manually escaping) I figured the validation was removing the <drupal> "tag", so I found where this takes place in the _filter_xss_split function in includes/common.inc.

If the text looks like a tag, but is not one of the listed supported tags, an empty string is returned. Seems a little lazy really. So I changed the return ''; (line 1411) to

return '&lt;'.$elem.'&gt;';

Anyway, my site name shows up correctly now.

I haven't tested this thoroughly, but I don't see how it would cause a problem. It's just a little escape action.

Has anyone else seen this and fixed it? Is it something that we could get changed in the core? Anyone see any potential problems? Other comments?

Thanks,
David Watson

Categories: Drupal 7.x

Comments

VM’s picture

VM commented

this post should be in the post installation forum. Please edit and move it.

best bet in this case is to hardcode the sitename in the tpl.php file where you can use any characters you instead of hacking core validation and protection. This also makes it much easier to update your site site since you won't have to replace hacks.

davidlwatsonjr’s picture

davidlwatsonjr commented

Thanks, VM! Yeah, that's why I brought it up, because I THOUGHT I had found something that would help the core (which I'm still not sure it wouldn't), and I didn't want to make a change to my core only to have it overridden on upgrade. However, further investigation reveals this will not be the problem I thought it might when posting content if I understand filters. So I continue to learn.

Thanks for the heads up.

VM’s picture

VM commented

< & > are filtered out because HTML is disallowed in those fields.

RobW’s picture

RobW commented

If you think it's an improvement, the core issue queue is the place for it.